LLTP Ransomware

LLTP Ransomware is a new computer infection that was detected only this week, March 21st, 2017. The program seems to be based on an older ransomware program that was released last summer. Despite the fact that the application is fairly new, it still employs the same methods to push innocent users into spending their money for nothing. Unless you remove LLTP Ransomware right now, you will not be able to run your computer properly. Thus, do yourself a favor and acquire a legitimate security application that would terminate all the malicious files for you automatically, and you would not have to worry about it again.

According to the information collected by our research team, the new program is based on the VenusLocker Ransomware. As mentioned, VenusLocker Ransomware was released last summer, and this program is an EDA2 variant infection, which means that it is based on an open-source ransomware code. In a sense, the code can be used by almost anyone who knows how to program and distribute such infections. So it is not surprising that LLTP Ransomware was created when the previously released infection got rewritten by its creators. However, it does not mean that we can apply the same old removal and decryption patterns to this new infection.

After a closer look at this application, we can see that LLTP Ransomware still uses the same system background from the VenuLocker Ransomware setup, but it displays a different email address and the ransom amount. The program expects you to contact its developers via the LLTP@mail2tor.com, and you are expected to pay around $200USD in bitcoins for the decryption tool that should unlock your files encrypted by the AES-256 algorithm. Now, it is more than obvious that you should never pay a single cent to these criminals because no one can guarantee they would issue the promised decryption key.

It is very likely that this program enters target systems via spam email messages. Of course, spam email campaigns are the most common distribution method when it comes to ransomware infections so there is no surprise in that. It would be far more important for users to protect themselves from such infections by employing safe web browsing skills. Also, you should think twice before downloading and opening various attachments even if it looks like they come from some official source. Most of the online stores and other financial institutions avoid sending attached documents because they know it is one of the greatest vulnerabilities that can be exploited by cyber criminals.

So what happens when LLTP Ransomware infects your system? The program obviously scans your computer and encrypts most of your files. The program has a long list of file types it supports, and you can be sure that almost every single document you use daily will probably be affected by this application. When the encryption is complete, you will see a ransom note on your screen, and it might be displayed either in English or in Spanish. This also shows that LLTP Ransomware might be targeting computer users in the Spanish-speaking countries.

Asides from the ransom note, the program also creates a new folder in the %UserProfile% directory, and this folder stores the background image that is set as your desktop wallpaper when the program enters your system. The program also performs certain Windows Registry modifications that allow it to auto-start whenever you turn on your computer. So restarting your PC would not make the message disappear. The only way to do that is to delete LLTP Ransomware for good. Of course, it might be too challenging if you are not an experienced computer user, so relying on a powerful antispyware tool is always a good choice. We will also provide the manual removal instructions below this description, but we do not recommend doing it on your own if you are not too familiar with the inner-workings of your system.

As mentioned, there is no public decryption tool available as of yet that would help you decrypt your files for free. You should just delete the infected files, and then restore your data from a system backup. Perhaps you have an external hard drive where you save most of your files. Perhaps you backup your files on some cloud storage. Whichever it might be, you probably have copies of your files, and you can definitely retrieve them.

How to Remove LLTP Ransomware

1. Go the Downloads folder.
2. Delete the most recently downloaded files.
3. Press Win+R and type %TEMP%. Click OK.
4. Delete the lltprwx86 folder from the directory.
5. Press Win+R and type regedit. Click OK.
6. Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
7. Delete the LLTP %UserProfile% key and everything associated with it.
8. Go to HKEY_CURRENT_USER\Control Panel\Desktop.
9. Delete the Wallpaper "%UserProfile%\bg.jpg" entry under Desktop.
10. Remove the RansomNote3.5.exe and LEAME.txt files from your desktop.
11. Scan your computer with the SpyHunter free scanner.