Cyber Security Center

How to delete Lisp ransomware


Lisp ransomware is a malware from the Djvu/STOP ransomware family. It’s a notorious ransomware family with more than two hundred versions, which are released on a regular basis. This version can be differentiated by the .lisp extension added to encrypted files.

 

Lisp ransom note

Lisp ransomware is file-encrypting malware, and it’s part of Djvu/STOP malware family. There are a couple of hundred Djvu ransomware versions, and new ones are released on a regular basis. We have reported on plenty of other Djvu/STOP versions, such as Sglh, Epor, Vvoa, Agho, Vpsh and Jdyi. This version adds the .lisp extension, hence why it’s known as Lisp ransomware. In short, it will encrypt files, add the .lisp extension to them, drop a _readme.txt ransom note and demand users pay $980 for file decryption (or $490 if users contact the cyber crooks behind this ransomware within 72 hours).

When it comes to ransomware, the consensus is that paying the ransom does not guarantee file decryption, hence why it’s not usually recommended. Users should keep in mind that they are dealing with cyber criminals who will not necessarily feel obligated to help users. Countless users have been left with encrypted files and no decryptor. Furthermore, paying only encourages cyber crooks to continue, as ransomware becomes profitable for them.

We should mention that there are free ransomware decryptors released by malware researchers to help victims. There is one for Djvu/STOP released by Emsisoft but it will not work for newer versions because they use online keys to encrypt files, meaning each victim has a unique key. It’s not possible to develop a working decryptor without those keys. However, it’s not out of the realms of possibility that the keys will eventually be released by the cyber crooks themselves, or that law enforcement will catch them. However, if a decryptor was to be released, it would be by NoMoreRansom, Emsisoft, other anti-virus vendors or malware researchers. Downloading a decryptor from an unsafe source could lead to an additional malware infection.

If users have backup, they can connect to it to recover files as soon as they delete Lisp ransomware. However, users need to make sure to get rid of the ransomware fully before accessing backup. Otherwise, the backed up files may become encrypted as well.

What does the ransomware do?

Lisp ransomware is essentially identical to other ransomware versions. This one adds .lisp to encrypted files, which is how users can recognize it. As an example, image.jpg -> image.jpg.lisp. The ransomware targets documents, videos, photos, etc., as those are the most important files to users. While it’s encrypting files, it shows a fake Windows Update window. Once the encryption process is complete, the ransomware drops a _readme.txt ransom note in all folders containing encrypted files. The ransom note threatens users to pay the ransom, as that is the only way to recover files. Unless users have backup, that statement is unfortunately true. According to the note, users can recover one encrypted file for free, provided it does not contain important information. For all other files, users would need to pay the $980 ransom. The note also mentions that victims can get a 50% discount if they contact the crooks behind this ransomware within the first 72 hours. Nonetheless, whether there is a 50% discount or not, paying the ransom is very risky. Cyber criminals can easily take the money and not send the decryptor. And the harsh truth is that as long as victims continue paying the ransom because they don’t have backup, ransomware gangs will continue to strive.

Here is the ransom note dropped by this ransomware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-jydQMZP2Ie
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

If users have backup, they should have no issues with recovering files, assuming they fully delete Lisp ransomware first.

Ransomware distribution

Generally, users who have bad browsing habits end up infecting their computers with malware. Among those bad habits is opening unsolicited email attachments, downloading pirated content via torrents, clicking on ads when on high-risk websites and not installing important security updates.

Spam email is one of the most common reasons why users end up infecting their computers with some kind of malware. Malicious actors use email addresses they purchased from hacker forums to send malware email attachments, and if users open those attachments, they end up allowing malware into their computers. Fortunately for users, it’s not difficult to recognize malspam. Users should always check that the sender is legitimate, look for grammar and spelling mistakes in the email itself, and scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Pirating via torrents is also a common way users pick up malware. Torrent sites are not regulated properly, which allows cyber criminals to easily upload their malware and disguise it as torrent for a movie, TV show, video game, or some other entertainment content. Thus, users who torrent are at an increased risk of infecting their computers with malware.

It should also be mentioned that cyber criminals use system vulnerabilities to inject malware, which is why installing security updates on a regular basis is essential.

Lisp ransomware removal

Using anti-malware software is highly recommended to remove Lisp ransomware. This is a complicated malware infection, which is why users shouldn’t try manual Lisp ransomware removal. Users who have backup should only access it once the ransomware is no longer present. And unfortunately, removing the ransomware does not recover files.

Lisp ransomware is detected as:

  • Trojan.GenericKD.35358716 (B) by Emsisoft
  • A Variant Of Win32/Kryptik.HHQR by ESET
  • Trojan.MalPack.GS by Malwarebytes
  • Trojan.GenericKD.35358716 by BitDefender
  • Artemis!185749FFBB86 by McAfee
  • HEUR:Exploit.Win32.Shellcode.gen by Kaspersky
  • Trojan:Win32/EmotetCrypt!ml by Microsoft