How to Remove Lukitus Ransom

Lukitus is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt the and was discovered on September 1, 2017 . It can affect Windows 7, 8 and 10 systems and the risk level is Very Low

Once executed, the Trojan creates the following files:

  • %SystemDrive%\Documents and Settings\All Users\Desktop\lukitus.bmp
  • %SystemDrive%\Documents and Settings\All Users\Desktop\lukitus.htm

Next, the Trojan modifies the following registry entries:

  • HKEY_CURRENT_USER\Control Panel\Desktop\”TileWallpaper” = “0”
  • HKEY_CURRENT_USER\Control Panel\Desktop\”Wallpaper” = “lukitus.bmp”

The Trojan then creates the following mutex so that only one instance of the threat executes on the computer:

  • Local\Ea5aGaCaBa1aDaEaGa9a4aDa9a3a5aEa
  • Global\Ea5aGaCaBa1aDaEaGa9a4aDa9a3a5aEa
  • Global\3aEa4aBaBa6a:a:aCaDa9aFaCa9a4aEa
  • Local\3aEa4aBaBa6a:a:aCaDa9aFaCa9a4aEa

Next, the Trojan connects to one or more of the following remote locations:

  • http://192.162.[REMOVED].213/imageload.cgi
  • http://185.17.[REMOVED].130/imageload.cgi
  • http://46.17.[REMOVED].153/imageload.cgi
  • http://46.183.[REMOVED].45/imageload.cgi
  • http://5.196.[REMOVED].239/imageload.cgi
  • http://5.188.[REMOVED].30/imageload.cgi

The Trojan then encrypts files on the compromised computer with the following extensions:

  • .7zip
  • .SQLITE3
  • .SQLITEDB
  • .accdb
  • .accde
  • .accdr
  • .accdt
  • .agdl
  • .aiff
  • .aspx
  • .asset
  • .asset
  • .back
  • .backup
  • .backupdb
  • .bank
  • .blend
  • .cdr3
  • .cdr4
  • .cdr5
  • .cdr6
  • .cdrw
  • .class
  • .class
  • .config
  • .contact
  • .craw
  • .d3dbsp
  • .db_journal
  • .ddoc
  • .ddrw
  • .design
  • .djvu
  • .djvu
  • .docb
  • .docm
  • .docm
  • .docx
  • .docx
  • .dotm
  • .dotm
  • .dotx
  • .dotx
  • .erbsql
  • .flac
  • .flvv
  • .forge
  • .gray
  • .grey
  • .groups
  • .html
  • .ibank
  • .incpas
  • .indd
  • .java
  • .java
  • .jpeg
  • .jpeg
  • .kdbx
  • .kpdx
  • .laccdb
  • .lay6
  • .litemod
  • .litesql
  • .m2ts
  • .mapimail
  • .moneywell
  • .mpeg
  • .mpeg
  • .ms11
  • .nvram
  • .onetoc2
  • .pages
  • .plus_muhd
  • .potm
  • .potm
  • .potx
  • .potx
  • .ppam
  • .ppam
  • .ppsm
  • .ppsm
  • .ppsm
  • .ppsx
  • .ppsx
  • .pptm
  • .pptm
  • .pptm
  • .pptx
  • .pptx
  • .psafe3
  • .pspimage
  • .qcow
  • .qcow2
  • .qcow2
  • .s3db
  • .safe
  • .sas7bdat
  • .save
  • .sldm
  • .sldm
  • .sldx
  • .sldx
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .tar.bz2
  • .tiff
  • .vbox
  • .vhdx
  • .vmdk
  • .vmdk
  • .vmsd
  • .vmxf
  • .wallet
  • .wallet
  • .wallet.dat
  • .xlam
  • .xlsb
  • .xlsb
  • .xlsm
  • .xlsm
  • .xlsx
  • .xlsx
  • .xltm
  • .xltm
  • .xltx
  • .xltx
  • .ycbcra

The Trojan renames encrypted files using the following format:

  • [8 RANDOM CHARACTERS]-[4 RANDOM CHARACTERS]-[4 RANDOM CHARACTERS]-[8 RANDOM CHARACTERS]-[12 RANDOM CHARACTERS].lukitus

The Trojan then displays a ransom note with instructions on how the user can pay to have thier files decrypted.

Leave a Reply