Remove LLTP Locker Ransomware And Recover Encrypted Files

LLTP Locker Ransomware is an updated version (or rather a variation) of Venus Locker. It secretly encrypts your files, makes them unopenable and then asks for a BitCoin ransom (usually $200) in order to recover your data. The ransomware provides email address LLTP@mail2tor.com as an official way to contact its creators.

File extensions are usually changed to .ENCRYPTED_BY_LLTP or .ENCRYPTED_BY_LLTPp and the file names are also encoded using Base64, so a file named “DSC_0001.JPG” becomes “RFNDXzAwMDEuSlBH.ENCRYPTED_BY_LLTPp”.

Currently the virus seems to be utilizing two languages at once: English and Spanish. For example, while it changes your desktop background to an English ransom note, it also displays a Spanish warning every time you launch your Windows. Also, LEAME.txt and README.txt files are placed and there seems to be a lack of consistency across provided information.

We strongly discourage you from paying the ransom. There is no guarantee that you will receive a decryption key or that the criminals will not leave additional backdoor to cause even more damage. Therefore, you should remove the virus yourself and use our file recovery guide afterwards.

We recommend using the automatic removal tool as it will also protect your computer from possible threats in the future.


Recommended Method: Download LLTP Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is LLTP Locker Ransomware?

This virus is another version or Venus Locker. It seems to have received modified looks but there are many mistakes left. For example, while the ransom note is named in Spanish (“LEAME.txt“), the text inside is in English. At the same time, a warning popup (“RansomNote.exe“) is named in English (“The LLTP Locker Ransomware“) but it contains a Spanish text. The desktop wallpaper is also changed and states that “You are hijacked, your personal files are encrypted“.

Here is the full text displayed on your desktop:

You are hacked
Your personal files are encrypted
To decrypt and recover all your files, you need to pay 200 US dollars for decryption service.
1. Exchange 200 USD (or equivalent local currencies) to Bitcoins, and then send these Bitcoins to our Bitcoin receiving address: 19fhNi9L2aYXTaTFWueRhJYGsGDaN6WGc
2. Send your Personal ID to our official email: LLTP@mail2tor.com
3 You will receive your private key to recover your files within on working day.
For detailed information, please refer to the dialog or “ReadMe.txt” on your desktop.

Here is an excerpt from the text file:

--- THE LLTP RANSOMWARE ---
Unfortunately, you are hacked.
1. What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, 
have been encrypted with RSA-4096, the strongest encryption algorithm. 
RSA algorithm generates a public key and a private key for your computer. 
The public key was used to encrypt your files a moment ago. 
The private key is necessary for you to decrypt and recover your files. 
Now, your private key is stored on our secret Internet server. 
And there is no doubt that no one can recover your files without your private key.
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)

And here is an excerpt from the Spanish ransom note:

A partir de este momento, todos los archivos importantes almacenados en este computador, 
tales como: documentos (excel, pdf, doc, etc), bases de datos (sql, mdb, etc), fotos, musica, videos entre otros, 
se encuentran encriptados con cifrado AES-256 y RSA-2048, esto significa que estos archivos estan actualmente BLOQUEADOS 
con una llave virtual unica generada excusivamente para este computador, la cual se encuentra almacenada en nuestro servidor secreto de internet, 
y le aseguramos que es IMPOSIBLE desbloquearlos sin dicha llave virtual.

Despite the inconsistencies in language the ransomware manages to successfully encrypt your files and make them unopenable. It uses strong AES-256 and RSA-2048 algorithms and makes it very hard to recover your data. The virus then demands for a BitCoin payment of $200 (address is 19fhNi9L2aYXTaTFWueRhJYGsGDaN6WGcP) and promises to give you a private decryption key. A 72-hour time limit is given after which the criminals threaten to permanently delete the private key from their servers.

In some cases, when a ransomware enters your computer you still have some time before it encrypts all your files and deletes the original copies. Therefore, if you suspect that you have been infected by LLTP or any other ransomware but no ransom note has appeared yet, you should shut down your computer in order to stop the encryption and salvage your files. However, since this ransomware has a relatively fast encryption process as it only affects a small part of your files this tactic might be unsuccessful.

There are many ways to distribute ransomware but LLTP Locker seems to stick to traditional methods and mostly comes in spam emails. The virus files are often disguised as an important document, invoice or archive. It usually activates by asking additional permissions to make changes to the system.

We strongly discourage you from paying the ransom. This does not guarantee that you will receive the decryption key as promised by the criminals. At the moment we do not see any transactions to the BitCoin address and it means that probably none of the victims have paid.

Follow our virus removal guide below or simply use the automatic tool to eliminate the ransomware core files first. When you successfully eliminate the threat you can move on to our file recovery guide and try restoring the encrypted files. Remember that the manual removal guide is for experienced users only and does not guarantee that the threat will not come back in the future if you will not secure your computer with a proper antivirus software.

Here are some screenshots of LLTP Locker:

   


 Manual Removal Instructions:

Remember to bookmark this page in order to access it after you restart your computer while working on the removal process!

Step 1:

Restart your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the LLTP Locker virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

Now you will have to check each suspicious process manually.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have checked all processes.

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

ransomnote

Click Find Next.

If you find any registry entries that could be associated with LLTP Locker, delete them by right-clicking on it and choosing Delete.

Repeat this search until no results are found anymore. Then repeat this step with the following search queries:

VdREVyH
ransom.note
LLTP
moniestealer

Step 5:

Clean up Windows temporary files.

LLTP Locker ransomware can operate from temporary files directory.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 6:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and, if found, delete them:

LEAME.txt
uinf.uinf
tlltpl.tlltpl
encp.exe
Files.LLTP
Ransomnote3.5.exe

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

Check for EDA2, LLTP, VenusLocker or TrumpLocker decrypter here: List of currently available decryptors as these ransomware viruses are very similar and might have a decrypter which works for all versions. Currently we have no information that such decrypter is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by restoring the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 3.

Step 3:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a LLTP Locker ransomware decrypter to be created. New free decrypters for various ransomware appear quite often but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *