LLTP Ransomware

Posted by Lisa Blanc on March 27, 2017

What is LLTP Ransomware?

LLTP Ransomware is a dangerous computer infection that was first spotted on 21 March 2017. There is no question that this infection is worthy of removal because its job is to encrypt your personal files and then demand that you pay a ransom for the decryption key. Indeed, its developers are nothing more than cyber criminals who want to extract money from you. They can ask for up to 200 USD which might not be worth your files, so paying the ransom might not be economical in your case. Furthermore, there is no way of knowing whether you will receive the decryption key once you have paid. test test test

Where does LLTP Ransomware come from?

As mentioned, LLTP Ransomware is a recently released ransomware. From the looks of things, it is quite clear that its developers come from a Spanish-speaking country and, as a result, it targets the Spanish-speaking populations across the globe. Interestingly, this particular ransomware is similar to VenusLocker Ransomware but is not an exact copy. The developers have rewritten to code leaving out the things they did not need and inserted things that they did. From the outside, it is evident to see that they left the same background image of the original ransomware, but replaced the email address to LLTP@mail2tor.com and also entered a different ransom value. Of course, there are more minute changes that make these two programs different, but we mention the obvious ones, so you know which is which.

As far as this ransomware’s distribution methods are concerned, researchers have found that it is disseminated through malicious emails that are sent from a dedicated email server. The details about how the emails trick the users into opening a malicious attached file are unknown. However, it is clear that you need to open the emails manually for this ransomware to infect your PC. Also, researchers say that LLTP Ransomware might also be found on malicious software distributing sites. They say that this ransomware might be included with cracks or keygens. Now let us take a look at how LLTP Ransomware works.

What does LLTP Ransomware do?

Our malware analysts have tested this ransomware, and their analysis has revealed that it can encrypt several hundred file types, so any personal files you might have will become encrypted by this application. It uses the AES-256 and RSA-2048 encryption algorithms which are pretty strong, and, unfortunately, there is no free decryption tool out yet. Nevertheless, a decryption tool might be developed further down the line.

The cyber criminals want you to pay 200 USD (0.2 Bitcoins) for the decryption key which is sent to the remote command and control server, so you cannot find it anywhere on your PC, unfortunately. Also, worthy of a note is the fact that this particular ransomware will append the encrypted files with .ENCRYPTED_BY_LLTPp or .ENCRYPTED_BY_LLTP file extensions and also change the names of the files so that you could not identify them. You only have 72 hours to pay the ransom because if you fail to do so, then the decryption tool will be deleted. So, if 72 hours have already passed, do not try to pay the ransom because it will be futile. Once the encryption is complete, this ransomware will drop a file named LEAME.txt on the desktop which contains the ransom note.

How do I remove LLTP Ransomware?

LLTP Ransomware’s main executable (RansomNote3.5.exe) should be located from where you launched it manually because it does not copy itself to any hidden location. In addition, you should delete a file named lltprwx86 that is placed in %TEMP%\lltprwx86. Furthermore, you ought to remove its registry keys at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LLTP and HKCU\Control Panel\Desktop\Wallpaper. Alternatively, you can use our recommended anti-malware program called SpyHunter that will make light work of this particular ransomware.