LKFR Virus File

by Brendan Smith
March 8, 2024

The Lkfr virus, a type of ransomware from the STOP/DJVU family, is notorious for its harmful file encryption. It invades systems to encrypt various file types, including documents, videos, and photos. Each affected file is appended with a “.lkfr” extension, rendering them inaccessible without a decryption key.

Overview of the Lkfr Virus

Lkfr

🤔 The Lkfr virus, part of the DJVU/STOP ransomware family, aims to encrypt files and then demands a ransom in Bitcoin, ranging from $499 to $999, for their release.

The Lkfr virus aggressively encrypts files, forcing victims to pay a ransom for recovery. It marks encrypted files with a unique “.lkfr” extension, making them inaccessible. The demanded ransom varies from $499 to $999, contingent on the duration since the infection, detailed in a “_readme.txt” file.

Utilizing the Salsa20 encryption algorithm, the Lkfr Ransomware securely locks targeted files. This sophisticated encryption makes it extremely difficult to decrypt the files without the attackers’ assistance.

Following encryption, the Lkfr virus presents a ransom note, instructing victims on how to pay the ransom in Bitcoin. The note may include threats of complete system deletion or an increased ransom if the payment is not made promptly.

I have created an all-encompassing list of the solutions, tips, and approaches to stop the Lkfr malware and decrypt your files. In some cases, it may be possible to restore your files, while sometimes, it may be impossible.

Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

📌 Important Note!

It is critical to say that paying off the bill is not a guarantee of the successful files recovery. The scoundrels who stand behind the Lkfr virus are known for their untrustworthiness. There were cases where people have paid the ransom, only to be denied by the cyber criminals with the decryption key provision.

Lkfr uses a unique key for each victim, with one exception:

  • If Lkfr fails to connect the command and control server (C&C) before starting the encryption process, it uses offline keys as a fallback option. This key is not unique and is the same for all users, allowing for the decryption of files encrypted by the ransomware.

The Lkfr virus is similar to other DJVU ransomware variants like Lkhy, Ldhy, Wisz, and Nood. This virus encrypts a wide range of common file types and appends its distinct “.lkfr” extension to all files. For instance, a file named “1.jpg” would be altered to “1.jpg.lkfr” and “2.png” to “2.png.lkfr“.

Upon successful encryption, the malware creates a special text file named “_readme.txt” and places it in every folder containing the encrypted files. It also adds the readme file to the desktop, so the user will not miss its appearance even without opening folders.

The image below provides a visual representation of files with the “lkfr” extension:

Lkfr Virus - encrypted lkfr files

Encrypted Files by STOP/DJVU Ransomware

Name Lkfr Ransomware
Ransomware family1 DJVU/STOP2 ransomware
Extension .lkfr
Ransomware note _readme.txt
Ransom From $499 to $999 (in Bitcoins)
Contact [email protected], [email protected]
Detection Trojan:MSIL/AgentTesla.EYA!MTB, Ransom:Win32/Blocker!pz, Trojan:MSIL/AgentTesla.KAAY!MTB
Symptoms
  • Disables Volume Shadow copies, making victim’s attempts to restore data futile;
  • Installs password-stealing Trojan on the system, like Vidar Stealer or RedLine Stealer;
  • Successfully installs a SmokeLoader backdoor for remote access;
  • Updates the HOSTS file with a list of domains to block access to certain security-related sites;
  • Implements encryption to lock most of your files (photos, videos, documents) and adds a particular “.lkfr” extension;
Fix Tool To remove possible malware infections, scan your PC:
6-day free trial available.

This message asking for payment is for restoring files via decryption key:

_readme.txt (STOP/DJVU Ransomware)

_readme.txt (STOP/DJVU Ransomware) – The terrifying notification insisting users to pay off the ransom to unlock the encrypted data contains these frustrating admonitions.

The Lkfr ransomware executes multiple steps on the infected computer, notably launching the winupdate.exe process. This mimics a Windows update notification, misleading victims into believing the system slowdown is due to an update. Its deception is designed to mask the encryption activity happening in the background.

Simultaneously, the ransomware starts a separate process (usually named with 4 random letters) to identify and encrypt target files. It then executes a command to eliminate Volume Shadow Copies, significantly hindering file recovery:

vssadmin.exe Delete Shadows /All /Quiet

This action makes it nearly impossible to revert to a previous state using System Restore Points. The attackers also tamper with the Windows HOSTS file, adding certain domains to redirect to localhost, leading to a DNS_PROBE_FINISHED_NXDOMAIN error for those sites. This tactic specifically targets and blocks access to websites offering guidance on ransomware recovery, further isolating the victim.

Additionally, the malware leaves behind two files on the victim’s computer: bowsakkdestx.txt and PersonalID.txt, containing the victim’s public encryption key and personal ID, respectively. These files are part of the ransomware’s strategy to personalize the attack and facilitate the ransom process.

Lkfr ransomware saves public encryption key and victim's id in bowsakkdestx.txt file

The threats from the STOP/DJVU malware family, including its variants, extend beyond initial encryption. These variants are known to introduce the Vidar password-stealing Trojan into compromised systems, bringing a host of invasive capabilities:

  • Extracting login details for Steam, Telegram, and Skype;
  • Harvesting cryptocurrency wallet information;
  • Downloading and executing additional malicious software;
  • Collecting browser cookies, saved passwords, browsing history;
  • Accessing and modifying files on the victim’s system;
  • Enabling remote execution of tasks by hackers.

The STOP/Djvu ransomware employs the Salsa20 cryptography algorithm, making unauthorized decryption highly unlikely once files are locked with an online key unique to each victim. The complexity and uniqueness of these keys render manual recovery efforts impractically time-consuming.

Acquiring the decryption key without succumbing to the ransom demands is virtually impossible, as it resides on a command-and-control server under the attacker’s control. To retrieve the decryption key, victims are coerced into paying a ransom of $999, with payment instructions available through contact with the attackers at ([email protected]).

The message by the ransomware states the following information:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents, and other important are encrypted with the strongest encryption and unique key.
The only method of recovering files is to purchase a decrypt tool and a unique key for you.
This software will decrypt all your encrypted files.
What guarantees do you have?
You can send one of your encrypted files from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. The file must not contain valuable information.
Do not ask assistants from YouTube and recovery data sites for help in recovering your data.
They can use your free decryption quota and scam you.
Our contact is emails in this text document only.
You can get and look video overview decrypt tool:
https://we.tl/t-hPAqznkJKD
The price of private key and decrypt software is $999.
A discount of 50% is available if you contact us first 72 hours, that's the price for you is $499.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get an answer for more than 6 hours.


To get this software you need to write to our e-mail:
[email protected]

Reserve an e-mail address to contact us:
[email protected]

Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

How To Remove STOP/Djvu Ransomware?

Video Guide


How To Decrypt .lkfr Files?

How to restore big files?

Try removing .lkfr extension on a few big files and opening them. This malware has issues with large file encryption. Either the virus read and did not encrypt the file, or it failed and did not add the filemarker. If you have very large files (2GB+), such a situation is highly probable. Please, let me know in the comments if that will work for you.

The newest extensions were released around the end of August 2019 after the criminals made changes. This includes Lkhy, Ldhy, Cdcc etc.

As a result of the alterations made by the criminals, STOPDecrypter is no longer backed. It has been replaced with the Emsisoft Decryptor for STOP Djvu Ransomware developed by Emsisoft.

You can download free decryption tool here: Decryptor for STOP Djvu.

  1. Select folders for decryption.

    Based on the default configurations, the decryptor will automatically choose the reachable directories to unlock the currently accessible drives (the connected ones), including the network drives. Additional (optional) locations can be selected with the aid of the “Add” button.

    Decryptors typically offer several options depending on the specific malware family. The present possible options are displayed in the Options tab and can be turned on or deactivated there. You may locate a comprehensive list of the currently active Options below.

  2. Click on the “Decrypt” button.

    As soon as you add all the desired locations for decryption to the list, click on the “Decrypt” button to initiate the decryption procedure.

    Note that the main screen may turn you to a status view, letting you know of the active process and the decryption statistics of your data:

    Emsisoft Decryptor - the decryption statistics

    The decryptor will notify you as soon as the decryption procedure is completed. If you need the report for your papers, you can save it by choosing the “Save log” button. Note that it is also possible to copy it directly to your clipboard and paste it into emails or messages here if you need to do so.

The Emsisoft Decryptor might display different messages after a failed attempt to restore your files:

✓ Error: Unable to decrypt a file with ID: [your ID]

Emsisoft failed to find a corresponding decryption key in their database.

✓ No key for New Variant online ID: [your ID]

Notice: this ID appears to be an online ID, decryption is impossible

Malware uses an online key to cipher your files. So no one else has the same encryption/decryption key pair. File recovery is only possible through paying the ransom. 🙁

✓ Result: No key for new variant offline ID: [example ID]

This ID appears to be an offline ID. Decryption may be possible in the future.

Malware used an offline key, but files could not be restored (the offline decryption key isn’t available yet). Nonetheless, this message is good news for you, because it is possible to restore your files in the future. 🙂

It can take a few weeks or months until the decryption key gets found and uploaded to the decryptor. Please follow updates regarding the decryptable DJVU versions here.

✓ Remote name could not be resolved

This stands for a DNS issue present in your system. Try resetting your HOSTS file to default.

How to Restore .lkfr Files?

In some cases ransomware is not doom for your files…

The Lkfr ransomware encryption mechanism is next: it encrypts every file byte-by-byte, then saves a file copy, erasing (not overriding!) the original file. Hence, the information on the file location on the physical disk is lost, but the original file is not deleted from the drive. The cell, or the sector where this file was kept, can still contain this file, but it is absent in the file system and can be replaced by data that has been loaded to this drive after the deletion. Hence, it is possible to retrieve your files using special software.

I recently had my PC infected by this virus. It managed to bypass 2 Antivirus software and 2 malware fighters.

Anyway, after realizing it was an online algorithm, it was impossible to retrieve my encrypted files. I also had my backup drive plugged in at the time of the virus, and this was also infected, or so I thought. Every folder within my backup drive had been infected and was encrypted. However, despite losing some important files, I retrieved almost 80% of my 2TB storage.

When I started going through the folders, I noticed the readme.txt ransom note in every folder. I opened some of the folders and found that all files that were not in a subfolder within that folder had been encrypted. However, I found a flaw and a glimmer of hope when I went into the subfolders in other folders and found that these files had not been encrypted. Every folder within my c and d drives, including subfolders, had been encrypted, but this was not the case with the backup drive. Having subfolders created within a folder has saved 80% of my data.

As I said, I believe this to be only a small loophole on a backup drive. I’ve since found a further 10 % of my data on another hard drive on a different PC. So my advice is if you use a backup drive, create subfolders. I was lucky, I guess. But I was also unlucky that the virus hit as I was transferring some files from my backup.

Hopefully, this can help some other people in my situation.

Jamie Newland
Some pointers for recovery repair of Lkfr files (true for all STOP/DJVU variants):
  • I have seen Stop/Djvu variants fail to encrypt deeper nested folders, so you can check that. You may find those are not encrypted.
  • This ransomware saves encrypted data to a new file and deletes the original. So there’s a slight chance part of that deleted file can be recovered using file recovery software. It’s unlikely the folder structure can be restored, so a free tool like PhotoRec may be as good as any.
  • This ransomware only partially encrypts (about the first 150 KB), so depending on file size and type of data, the non-encrypted part may be recoverable.
    • Joep

    Recovering your files with PhotoRec

    PhotoRec is a free open-source program, which is initially created for data recovery from damaged disks, or data recovery in case they are unintentionally deleted. However, with time flow, this program adopted the ability to restore the files of 400 different extensions. Hence, it can be used for file recovery after the Lkfr attack.

    First, you need to download this app. It is 100% free, but the developer notifies that there is no guarantee that the files will be retrieved. PhotoRec is distributed in a pack with another program of the same developer – TestDisk. The downloaded archive will bear the TestDisk name but don’t worry. PhotoRec files are right inside.

    To open PhotoRec, you need to find and open “qphotorec_win.exe” file. No installation process is needed – the program has all the files it needs within the archive, hence, you can mount it on your USB drive, and help your friends/parents/anyone who has been attacked by Lkfr ransomware.

    PhotoRec file in the folder for restore Lkfr files

    Upon the start, you will encounter the screen showing you the full list of your drives. However, these details are probably unhelpful, because the required menu is placed a bit higher. Click this bar, then choose the disk which was attacked by ransomware.

    Choose the disc in PhotoRec

    After choosing the disk, you need to pick the destination folder for the restored files. This menu is located at the lower part of the PhotoRec window. The best option is to export them on a USB drive or any other type of removable disk.

    Choosing the destination folder of recovery Lkfr files

    Then, you need to define the file formats. This option is located at the bottom, too. As it was mentioned, PhotoRec can regain the files in about 400 different formats.

    Choose the file format

    Finally, you can begin file retrieval by pressing the “Search” button. You will observe the screen where the outcomes of the scan and recovery are shown.

    Recovery process

    Lkfr files recovery Video Guide.


    Frequently Asked Questions

    🤔 How can I open “.lkfr” files?
    No way. These files are encrypted by ransomware. The contents of encrypted files are not available until they are decrypted.
    🤔 Lkfr has blocked my PC: I can’t get the activation code.
    In this situation, you need to prepare the memory stick with a pre-installed
    🤔 Decryptor did not decrypt all my files, or not all of them were decrypted. What should I do?
    Have patience. You are infected with the new version of STOP/DJVU ransomware, and decryption keys have not yet been released. Follow the news on our website. We will keep you posted when new keys or new decryption programs appear.
    🤔 What can I do right now?
    The Lkfr ransomware encrypts only the first 150KB of files. So MP3 files are rather large, some media players (Winamp for example) may be able to play the files, but – the first 3-5 seconds (the encrypted portion) will be missing. You can try to find a copy of an original file that was encrypted: Files you downloaded from the Internet that were encrypted and you can download again to get the original.

    I need your help to share this article.

    It is your turn to help other people. I have written this guide to help people like you. You can use the buttons below to share this on your favorite social media Facebook, Twitter, or Reddit.

    Brendan Smith

    References

    1. My files are encrypted by ransomware, what should I do now?
    2. About DJVU (STOP) Ransomware.

    German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian Hindi Italian

    About the author

    Brendan Smith

    Cybersecurity analyst covering malware families, suspicious files, and detection alerts. Brendan focuses on clear explanations of what a warning means, when it may be a false positive, and which cleanup steps are appropriate.

    View all posts

    Leave a Comment