LooCipher is a new ransomware being distributed in the wild. It is a file-encrypting ransomware, which encrypts the personal documents found on the victim’s computer. To decrypt their data, victims are encouraged to pay for a decryption key.
LooCipher is designed to change the wallpaper, display a pop-up window, and create a ransom message within the “@Please_Read_Me.txt” file. It also renames all encrypted files by adding the “.lcphr” extension. For example, “1.jpg” becomes “1.jpg.lcphr“.
Victims are notified that all files are encrypted with a strong encryption algorithm and the only way to decrypt them is to purchase a unique decryption key. This key is stored on a remote server controlled by Loocipher’s developers. Only they can access the server.
To obtain their keys, victims must send the equivalent of $330 in Bitcoins to a BTC wallet address provided.
They are encouraged to make payment within five days, since, after that, decryption keys are destroyed or deleted and files are locked permanently.
Once payment is made, the “DECRYPT” button is enabled and victims are able to decrypt their files. Decryption must be performed via the pop-up window enabled by Loocipher.
Since there is no free tool capable of decrypting files encoded by Loocipher, the only way to recover them free of charge and without contacting cybercriminals is to restore them from a data backup.
First, LooCipher changes the encrypted files into .lcphr files:
This can happen very quickly before you can notice LooCipher in action and shut off your computer.
Another thing that changes is your desktop background: it’s now a ransom note which tells you that you need to open the LooCipher.exe file too restore your files. All that LooCipher.exe actually has are instructions on how to pay money to the developers of this virus.
LooCipher demands money to be sent in Bitcoin because of its anonymity and automatization features, and they talk about their server being a TOR server, which also offers anonymity. Both of these technologies are legitimate and valuable to a lot of people, but they’re also abused by criminals.
How did Ransomware Infect Our Computers
Typically, cybercriminals proliferate ransomware and other malicious programs via spam campaigns, fake software update tools, untrustworthy software download sources, software ‘cracking’ tools and Trojan type programs.
The main goal is to trick recipients into opening these attachments. When opened, they infect computers with ransomware or other malware.
Computers are also infected through fake software update tools.
Usually, these exploit bugs/flaws of outdated software or download and install unwanted, malicious programs.
This ransomware was also observed attacking victims by hacking open Remote Desktop Services (RDP) ports. The attackers scan for the systems running RDP (TCP port 3389) and then attempt to brute force the password for the systems.
How to Decrypt or Prevent LooCipher Ransomware
This decryptor does not need the LooCipher.exe program running, so if it is still running you should terminate the process and delete the file so it does not start again.
A decryptor for the LooCipher Ransomware has been released by EMSISOFT that allows victims to decrypt their files for free.
Once downloaded, run the program with administrative privileges in order to decrypt all the files that were targeted by the ransomware.
Once started, agree to the license agreement and you will be at the bruteforcer screen where it asks you to select an encrypted file and the same file in its unencrypted form.
Once you select the files, the Start button will become available and you should click on it to start brute-forcing the decryption key.
When a key has been found, it will display it in a small alert. In this alert, the screen has one OK button. Click on the OK button and decryptor will restart with the key loaded.
Once ready, click on the Decrypt button to begin the decryption process. The decryptor will now search the computer for encrypted files that end with the .lcphr extensions and automatically decrypt them.
When it has finished, the Results tab will state Finished and all of your files should now be decrypted.