Lomix Ransomware

What is Lomix Ransomware?

Lomix Ransomware is a new ransomware-type infection based on an open-source threat known as CryptoWire Ransomware. Even though Lomix Ransomware has a different name than the original infection it is based on, it is evident that it does not differ much from it. It uses the same encryption algorithm AES-256, it encrypts users’ personal files once it enters the computer, and, finally, it demands a ransom. Paying money to cyber criminals might really be the only way to decrypt files since Lomix Ransomware uses a strong cipher, removes shadow copies of files immediately after the successful infiltration, and deletes non-encrypted copies of personal files after overwriting them 10 times (it does that so that it would be impossible to recover files using third-party software recovery tools). It is up to you whether or not to send the money cyber criminals require for decrypting files; however, in the opinion of researchers working at anti-spyware-101.com, it is not worth doing that since files might still stay encrypted after making a payment. There are many cases when cyber crooks do not unlock files for users or do not send the promised decryption key for them after receiving money. In such a case, you could not get your money back. Therefore, you should read this article to find out how to delete Lomix Ransomware instead of trying to get more information about buying and sending Bitcoins.

What does Lomix Ransomware do?

Lomix Ransomware immediately makes a copy of itself and places it in %PROGRAMFILES(x86)%\Common Files once its executable file is launched. Then, it deletes the so-called shadow copies of files and immediately starts the encryption process. It has been found that all files it encrypts are located in the %USERPROFILE% directory and its subfolders. If you suspect that Lomix Ransomware has managed to sneak onto your computer, you should first check this directory. If files located there contain a component .encrypted in the middle of the name, for instance, picture.encrypted.jpg, it means that they have been affected by this file-encrypting threat. Users quickly find out about the presence of the ransomware infection because it opens a window with a ransom note and a list of encrypted files too (the information is taken from the log.txt file located in %PROGRAMFILES(x86)%\Common Files). Since Lomix Ransomware creates a task (it has a random 10-digit name) in %WINDIR%\System32\Tasks, the malicious file located in the Common Files folder in %PROGRAMFILES(x86)% is opened every time users log on to their computers and, consequently, the ransom note is opened on the screen. It will disappear from your Desktop only after you fully delete a ransomware infection.

The ransom note opened on Desktop by Lomix Ransomware informs users about the encryption of files, and also tells them that “The only way you can recover your files is to buy a decryption key from wambeng.watson@gail.com.” The price of the decryption key is $500 (~ 0.65 Bitcoins). Users can purchase Bitcoins on the website that is opened by clicking the Buy Bitcoins button, but keep in mind that experienced specialists do not recommend buying and sending Bitcoins since cyber criminals might send nothing in exchange. Unfortunately, free data recovery tools will not help you too, as has been mentioned in the previous paragraph, so the only way to recover files at the time of writing is to transfer files to the computer from a backup created before the entrance of malware.

Where does Lomix Ransomware come from?

There is not much information available regarding the distribution of Lomix Ransomware, but it is clear that it appears on computers illegally. According to specialists at anti-spyware-101.com, the most likely scenario is that this infection entered your computer the moment you opened an attachment found in a spam email received. To be frank, this is the most common ransomware distribution method, so users should not open a spam mail folder and separate spam emails. On top of that, people should install a security application on their computers to make sure that any new threat encrypting files has no chance to enter the system and restrict access to files.

How to remove Lomix Ransomware

Since Lomix Ransomware creates a folder Common Files in %PROGRAMFILES(x86)%\Common Files and a task in %WINDIR%\System32\Tasks, it will not be easy to remove it. Below you can find the manual removal guide which will help you to delete this infection manually. Users can also erase this threat automatically by scanning the computer with SpyHunter. No matter how you erase it, make sure that you delete this threat fully so that it could not encrypt new files for you once again in the future.

The manual Lomix Ransomware removal guide

1. Press Win+E.
2. Type %PROGRAMFILES(x86)%\Common Files in the bar at the top and press Enter.
3. Locate the executable file having a random name.
4. Delete it.
5. Open %WINDIR%\System32\Task.
6. Remove the 10-digit random name file.
7. Check Desktop, %TEMP%, and %USERPROFILE%\Downloads.
8. Delete the malicious file you have launched.
9. Empty the Recycle bin.

Download Removal Tool100% FREE spyware scan and
tested removal of Lomix Ransomware*