lukitus

[tommy iowa]

Is there any hope for file recovery after getting hit with the .lukitus virus ?

[quietman7]

The extension looks random.

There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames to include CTB-Locker, Crypt0L0cker, Magniber, GandCrab V5+, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, MrDec (Mr.Dec), SynAck, Maktub Locker, Alma Locker, Princess Locker, Princess Evolution, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants.

The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's actual name and contents), samples of the encrypted files, possible filemarkers, the malware file itself responsible for the infection and information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection.  ID Ransomware can identify ransomwares with random extension and more accurately identifies ransomwares by filemarkers if applicable.

Based on infection rates we see, you are most likely infected with a variant of GandCrab V5.

• GandCrab V5 (V5.0.1) will have a random 5 character extension (i.e. .fbkdp .ibagx .qikka) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. qikka-DECRYPT.html, eiuhtxjzs-DECRYPT.html).
• GandCrab V5.0.2 and GandCrab V5.0.3 will have a random 5-9 character extension (i.e. .fnxfavh, .eiuhtxjzs, .ilrkdszxe) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. fnxfavh-DECRYPT.html, eiuhtxjzs-DECRYPT.html).
• GandCrab V5.0.4+ will have a random 5-10 upper-case character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random upper-cased extension]-DECRYPT.txt (i.e. LUKIZQW-DECRYPT.txt, TKKLKM-DECRYPT.txt).
• GandCrab V5.1+ will have a random 5-10 upper-case character extension appended to the end of the encrypted data filename.
• GandCrab V5.2, like its predecessors, will also have a random 5-10 character extension appended to the end of the encrypted data filename.
  

If confirmed, Bitdefender released a free decrypter for GandCrab V1, V4 and up through V5.1+ recognizable by their extensions....GDCB, .KRAB and random 5-10 characters (i.e. .fbkdp .ibagx .qikka, .eiuhtxjzs9, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) respectively.

• BDGandCrabDecryptTool Requirements, download and How to use the Tool
• Decryption Tools: GandCrab (V1, V4 and V5 up to V5.1 versions) alternate download
• How to use the Bitdefender GandCrab Decryption Tool Manual
  

Files encrypted by GandCrab V5.2 are not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities like previous versions. The criminals released V5.2 after Bitdefender updated it's decrypter for V5.1 so it will not work on this latest version. Bitdefender confirmed that there is no decryption tool for GandCrab V5.2.

• GandCrab Decrypter Available for v5.1, New 5.2 Variant Already Out

 

 

[GT500]

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

[Amigo-A]

This extension was used by Locky Ransomware in a version dated August 17, 2017