Cyber Security Center

How to remove Lyli ransomware


Lyli ransomware is yet another newly released member of the notorious Djvu/STOP ransomware family. This version adds the .lyli file extension and drops the usual _readme.txt ransom note.

 

Lyli ransom note

Discovered by malware researcher Michael Gillespie, Lyli ransomware is file-encrypting malware that belongs to the Djvu/STOP ransomware family. Just like all the previous versions, Lyli ransomware is a dangerous malware that may lead to permanent file encryption. It targets individual users, encrypts files they think of as most important (photos, videos, documents) and then demands that users pay $980 in exchnage for a decryptor. But even if users pay, there are no guarantees that a working decryptor would be sent, or even if one would be sent at all. So in the end, some users may lose both their money and their files. It has happened many times in the past, after all. However, without that decryptor, file decryption is unlikely.

While malware researchers and anti-virus vendors do release free decryptors to help victims, it’s not always possible. Older versions of Djvu are decryptable with Emsisoft’s free decryption tool, but it does not work on the majority of newer versions. In the case of Lyli ransomware, it would only work if files were encrypted with an offline key. Unfortunately, no free decryptor being available means that the only way to recover files is backup. If users backed up files before their computers got infected with ransomware, they could access backup as soon as they delete Lyli ransomware from their computers, preferably with anti-malware software.

How does ransomware infect a computer

Like most ransomware, Lyli spreads via malicious email attachments, torrents, software cracks, etc. Essentially, users who have bad browsing habits are the ones who most commonly infect their computers with some kind of malware. Developing better habits can go a long way towards avoiding a malware infection.

Users who download copyrighted content via torrents are often risking some kind of infection. Forums and sites dedicated to torrents are often unregulated, which makes it very easy for malicious actors to upload malware concealed as content that’s popular at that time, such as movies, TV shows, games or software. So users themselves unknowingly allow the malware onto their computers. Not to mention that pirating is essentially stealing content.

One of the most common ways users get ransomware is by opening spam email attachments. Malicious actors use leaked email addresses to launch spam email campaigns that carry malware. The email addresses of potential targets are often bought from hacking forums. The emails are often made to look like some kind of official correspondence, though it’s usually a very poor attempt. Despite senders claiming to be from known companies/organizations, their email addresses are unprofessional looking or just outright nonsense, the email themselves are also full of grammar and spelling mistakes. The malicious emails also put strong pressure on users to open the attached file by claiming it’s some kind of important document, invoice, etc. Users who open the file end up allowing ransomware to initiate. This is why all unsolicited email attachments should be scanned with anti-virus software or VirusTotal.

Is it possible to decrypt Lyli ransomware encrypted files?

As soon as the ransomware is initiated, it will start file encryption. Once the encryption process is complete, all affected files will have the .lyli extension. The extension allows users to determine which ransomware they are dealing with. It’s also why this malware is called Lyli ransomware. A ransom note _readme.txt will also be dropped and it will explain how users can proceed to purchase the decryptor if they wish to do so. However, we strongly recommend against paying the $980 (or the $490) ransom as it will not necessarily lead to file decryption. Users should remember that these are cyber criminals they are dealing with, and they likely will not feel obligation to help, even after the payment has been made.

Unfortunately, this leaves backup as the only way to recover files at this current moment.

Here is the full Lyli ransomware ransom note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-NYlGSMNN9r
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Lyli ransomware removal

Users should not attempt to delete Lyli ransomware manually, as that could cause even more damage. Instead, using anti-malware software is recommended. Unfortunately, removing the ransomware does not decrypt files, the decryptor is necessary for that. Once the ransomware is no longer present, users can start Lyli ransomware file recovery via backup.

Lyli ransomware is detected as:

  • A Variant Of Win32/Kryptik.HGLF by ESET
  • Trojan.GenericKDZ.70420 (B) by Emsisoft
  • HEUR:Trojan-Ransom.Win32.Stop.gen by Kaspersky
  • Trojan.MalPack.GS by Malwarebytes
  • Trojan:Win32/Ymacco.AA93 by Microsoft
  • Trojan-FSUC!97F1059D7A6D by McAfee
  • ML.Attribute.HighConfidence by Symantec