A new ransomware infection has been discovered by malware researchers at the end of May 2017. The virus carries the dubbed name Luxnut and appends the .locked file extension on the encrypted file. The interesting part is that this virus does not drop any ransom note on the infected computer, showing no sign of ransom demands to unlock the encrypted files. In case your computer has been infected by the Luxnut ransomware virus, we advise you to read the following article.
|Short Description||The virus encrypts the files on the computers infected by it after which appends the .locked file extension and changes the wallpaper|
|Symptoms||The wallpaper is changed to the evolution of humanity fail picture with the text “Something, somewhere went terribly wrong”.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Luxnut |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Luxnut.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does Luxnut Ransomware Infect
For it’s infection process, this ransomware virus uses multiple different types of approaches. It may come as a fake installer of a program or a fake game patch or software license activator. It may also be force-downloaded from malicious web links.
The most often method of distribution, seen with ransomware, like the Luxnut infection is to be spread via spammed e-mails. This ransomware virus can be involved in the massive sending of spam e-mails to various unsuspecting users. These e-mails may either contain malicious e-mail attachments or web links that can lead to the infection. The e-mails contain deceptive messages within them that aim to convince the victim into clicking on the malicious object.
In some cases there are even Microsoft Office documents with malicious macros embedded within them that may infect your computer with Luxnut ransomware. The infection procedure includes a document that prompts you to click on “Enable Content”, immediately after which the virus connects to a remote host and downloads it’s payload on your computer.
Luxnut .locked File Virus – Further Analysis
As soon as this ransomware virus has infected your computer, it has been identified that it drops two files on it:
- The malicious executable of the virus, named eda2.exe.
- The picture which is set as your wallpaper.
After the malicious files of the Luxnut ransomware infection have been situation on your computer, the executable may further extract multiple support files, that may be .tmp or .dll formats. These files may contain functions that may change different settings on your computer. One of those settings’ modification may result in changing your wallpaper to the following image:
In addition to this, the .locked file virus may also set it’s malicious executable to run on Windows boot. The targeted Windows registry sub-keys in which you may see value strings associated with the Luxnut ransomware virus are usually the Run and RunOnce keys.
But Luxnut ransomware does not stop there. The virus may also delete Windows system restore points and shadow copies as well. To do this, the Luxnut ransomware virus may also execute Windows commands in the background, like the following commands;
Luxnut .locked Ransomware – Encryption Process
In order to encrypt the files on the computers it has infected, Luxnut uses the AES encryption algorithm, also known as Advanced Encryption Standard. Although it has not yet been confirmed, the Luxnut virus may also use the EDA2 encryption mode, since on the encrypted files, the file marker eda2 has been detected. This is a specific encryption mode that aims to render the files on the computer no longer able to be opened by replacing important code of those files.
Furthermore, Luxnut ransomware also aims to encrypt only specific files from the infected computer, carefully avoiding Windows system files, so the OS does not crash afterwards. The files it is looking for to encrypt are around 20 file types and the virus is pre-configured to scan them by extensions:
→ .asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml Source: id-ransomware.blogspot.bg
After the files have been encrypted by the Luxnut virus, they are appended the .locked file extension to them. It is the primary file extension that is also seen in many other ransomware variants, like FabSysCrypto, CryptoShocker and CyberDrill.
Remove Luxnut Ransomware and Restore .locked Files
In order to remove this ransomware virus, we recommend you to focus on following the removal instructions we created below. They are specifically designed to remove the .locked virus either manually or automatically. In case you feel unsure that you will remove all the files of this virus, experts recommend doing the removal automatically with the aid of an advanced anti-malware program.
After having already removed this ransomware virus from your computer, we recommend you to try and restore your files using the alternative instructions below in step “2. Restore files encrypted by Luxnut”. The virus does not have any contact address to which to pay the ransom, but even if you see any, we strongly advise you against paying the ransom.