A new ransom-virus namely LLTP Ransomware also known as LLTP Locker recently detected by MalwareHunterTeam. The very ransom-virus currently targeting Spanish speaking computer user. PC security researchers detected this harmful threat on March 21, 2017 and on deep analysis they found this as an updated version of a VenusLocker ransomware detected some days earlier. It is very harmful threats and able to infect all Windows computer system. It is also much more advanced as it is capable to process its infection even without the need for an Internet connection. That means, LLTP Ransomware has ability to work in online as well as in offline mode. Therefore it is more dangerous as even without Internet connection the LLTP ransom-virus will encrypt a victim’s files. LLTP Ransomware too follows different file extensions that is added to encrypted data.
As soon as LLTP Ransomware comes inside the computer system connect compromised computer to its Command & Control server that is located at http://moniestealer.co.nf. It gather personnel data and then after send collected information alike victim’s computer name, user name, and identifier string to remote server to gain full control over PC. Now after, LLTP ransom-virus connects to C2 server, and then C2 server will respond with AES password that further used to encrypt the victim’s computer files and an ID that will inserted into the ransom notes. In case LLTP Ransomware unable to connect with C2 server, then this very ransomware itself generate the information.
Now the encryption password that is generated is then encrypted using embedded public RSA encryption key. This key is saved in a file called %UserProfile%\AppData\Local\Temp\tlltpl.tlltpl. Given below is the current embedded RSA key that used to encrypt the victim’s AES password:-
Now after, LLTP Ransomware proceed the file encryption process and that’s done using AES-256 encryption. It is able to affect all computer files utilizes different extension for the encrypted files depending upon file’s original extension. It appends .ENCRYPTED_BY_LLTP extension to the encrypted file of following extension:-
It appends .ENCRYPTED_BY_LLTPp extension to the encrypted file of following extension:-
However, while encrypting computer files LLTP Ransomware will skip files located in the following folders:
The very ransomware also create a folder called %Temp%\lltprwx86\ and extract them into it file called encp.exe, then after create a subfolder called vault and make copy of all files encrypted with .ENCRYPTED_BY_LLTPp extension. It uses encp.exe to create a password protected RAR archive of vault folder. The command used to create password protected archive is:
encp.exe a -r -mt2 -dw -hp [password] -m0 %Temp%\lltprwx86\Files.LLTP %Temp%\lltprwx86\vault\*.*
LLTP Ransomware will delete shadow volume copies and make it hard to recover data. Following successful encryption it drop a file called RansomNote.exe on the desktop. Although data are important but you requested not to pay cyber criminals instead make use of reliable and secure Free Scanner, an ultimate solution to remove LLTP Ransomware from PC.
Manual Step to Delete LLTP Ransomware From PC
From Windows XP
From Task Manager
- First, Open Computer in “Safe mode with Networking”
- Open Windows Task Manager
- Select malicious processes related to LLTP Ransomware.
- Click on End Task
From Control Panel
- Click on Start button >> Then Go to Control Panel.
- Select Add / Remove Programs.
- Choose Trojan virus related programs
- Click on Uninstall button.
From Windows 7
From Control Panel
- Click on the Start Menu
- Then Select Control Panel.
- From control Panel >> Go to Uninstall Programs.
- Choose suspicious program related to LLTP Ransomware .
- Right click >> Click Uninstall button.
- Last, Restart your PC.
From Registry Editor
- Open Run window >> Type regedit >> Hit enter.
- All harmful registry files are shown here.
- Delete them to get rid of LLTP Ransomware.
Hope you have successfully deleted LLTP Ransomware program from your Windows computer but in case if situation continues to same then you are advised to make use of recommended Free Scanner to get rid of it.