“Something, Somewhere Went Terribly Wrong” Luxnut Virus (Remove) - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

“Something, Somewhere Went Terribly Wrong” Luxnut Virus (Remove)

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Luxnut and other threats.
Threats such as Luxnut may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Article created to explain how to remove the Luxnut ransomware virus and restore files that have been added the .locked file extension.

A new ransomware infection has been discovered by malware researchers at the end of May 2017. The virus carries the dubbed name Luxnut and appends the .locked file extension on the encrypted file. The interesting part is that this virus does not drop any ransom note on the infected computer, showing no sign of ransom demands to unlock the encrypted files. In case your computer has been infected by the Luxnut ransomware virus, we advise you to read the following article.

Threat Summary

NameLuxnut
TypeRansomware, Cryptovirus
Short DescriptionThe virus encrypts the files on the computers infected by it after which appends the .locked file extension and changes the wallpaper
SymptomsThe wallpaper is changed to the evolution of humanity fail picture with the text “Something, somewhere went terribly wrong”.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Luxnut

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Luxnut.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Luxnut Ransomware Infect

For it’s infection process, this ransomware virus uses multiple different types of approaches. It may come as a fake installer of a program or a fake game patch or software license activator. It may also be force-downloaded from malicious web links.

The most often method of distribution, seen with ransomware, like the Luxnut infection is to be spread via spammed e-mails. This ransomware virus can be involved in the massive sending of spam e-mails to various unsuspecting users. These e-mails may either contain malicious e-mail attachments or web links that can lead to the infection. The e-mails contain deceptive messages within them that aim to convince the victim into clicking on the malicious object.

In some cases there are even Microsoft Office documents with malicious macros embedded within them that may infect your computer with Luxnut ransomware. The infection procedure includes a document that prompts you to click on “Enable Content”, immediately after which the virus connects to a remote host and downloads it’s payload on your computer.

Luxnut .locked File Virus – Further Analysis

As soon as this ransomware virus has infected your computer, it has been identified that it drops two files on it:

  • The malicious executable of the virus, named eda2.exe.
  • The picture which is set as your wallpaper.

After the malicious files of the Luxnut ransomware infection have been situation on your computer, the executable may further extract multiple support files, that may be .tmp or .dll formats. These files may contain functions that may change different settings on your computer. One of those settings’ modification may result in changing your wallpaper to the following image:

In addition to this, the .locked file virus may also set it’s malicious executable to run on Windows boot. The targeted Windows registry sub-keys in which you may see value strings associated with the Luxnut ransomware virus are usually the Run and RunOnce keys.

But Luxnut ransomware does not stop there. The virus may also delete Windows system restore points and shadow copies as well. To do this, the Luxnut ransomware virus may also execute Windows commands in the background, like the following commands;

  • bcedit
  • vssadmin

Luxnut .locked Ransomware – Encryption Process

In order to encrypt the files on the computers it has infected, Luxnut uses the AES encryption algorithm, also known as Advanced Encryption Standard. Although it has not yet been confirmed, the Luxnut virus may also use the EDA2 encryption mode, since on the encrypted files, the file marker eda2 has been detected. This is a specific encryption mode that aims to render the files on the computer no longer able to be opened by replacing important code of those files.

Furthermore, Luxnut ransomware also aims to encrypt only specific files from the infected computer, carefully avoiding Windows system files, so the OS does not crash afterwards. The files it is looking for to encrypt are around 20 file types and the virus is pre-configured to scan them by extensions:

→ .asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml Source: id-ransomware.blogspot.bg

After the files have been encrypted by the Luxnut virus, they are appended the .locked file extension to them. It is the primary file extension that is also seen in many other ransomware variants, like FabSysCrypto, CryptoShocker and CyberDrill.

Remove Luxnut Ransomware and Restore .locked Files

In order to remove this ransomware virus, we recommend you to focus on following the removal instructions we created below. They are specifically designed to remove the .locked virus either manually or automatically. In case you feel unsure that you will remove all the files of this virus, experts recommend doing the removal automatically with the aid of an advanced anti-malware program.

After having already removed this ransomware virus from your computer, we recommend you to try and restore your files using the alternative instructions below in step “2. Restore files encrypted by Luxnut”. The virus does not have any contact address to which to pay the ransom, but even if you see any, we strongly advise you against paying the ransom.

Note! Your computer system may be affected by Luxnut and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Luxnut.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Luxnut follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Luxnut files and objects
2. Find files created by Luxnut on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Luxnut

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...