ransomware

Emsisoft has released a LooCipher Ransomware decryptor that allows victims to decrypt their files for free. When you have LooCipher infection, don’t pay for the ransom and follow the instructions below.

LooCipher is installed via malicious Word documents to download and execute the executable. Once executed, ransomware encrypts data of a victim and adds the extension.lcphr to the encrypted file names.

Ransomware would then show a LooCipher

Decryptor screen containing a countdown, as well as a button to check if a payment has been made, until your key is supposed to be deleted.

If you have this ransomware infection you can use the following instructions to get your files back free of charge.

If you have been infected with LooCipher ransomware and have the encrypted files, simply download decrypt LooCipher.exe from the link above and save it on your desktop. Michael Gillespie with François Muroni’s help has created this decrypted.

This decryptor doesn’t need to run LooCipher.exe, so if it’s running you should stop it and delete the file so it doesn’t start again.

When downloaded, run the program for the decryption of all the files targeted by the ransomware.  Once the license agreement has begun, you will be on the bruteforcer screen to select the encrypted file and the same file in their decrypted form.

loocipher

LooCipher GUI

If you do not have an encrypted pair, I suggest you use some of the samples of images found in the folder C:\Users\Public\Pictures\Sample Photographs.  These images are commonly encrypted and can easily be downloaded from another computer by means of a ransomware.

I have created here a Windows 7 sample photos repository, to make it easier:

https:/download.bleepingcomputer.com/public-sample-pics/sample-photo.zip. If you find that Windows 8 and Widows 10 are using different files, please let me know and I will upload a repository from the operating systems.

Once you select the files, you can use the Start button to start brute by forcing the decryption key. This process can take a while, so be patient while brute forcing is carried out.

brute-forcing

Brute forcing the LooCipher decryption key

If a key is found, it will appear in a small warning, as shown below.

decryption-key-found

LooCipher Decryption key found

Click the OK button in the above window and the decrypter starts again with the loaded key.

key-loaded

Main Decryptor Screen

Click on the Decrypt button once ready to start the decryption process. The decryptor is now searching for the computer for encrypted files ending with.lcphr extensions and decrypting them automatically.

decrypting

Decrypting Files

When completed, the Results tab will indicate that all your files are finished and decrypted. If you need help to make this decryptor work, please ask in your comments.

LEAVE A REPLY

Please enter your comment!
Please enter your name here