Remove LMAS Ransomware Virus (DECRYPT .lmas FILES)

remove LMAS ransomware virus and decrypt your files (free guide)

LMAS Ransomware targets to encrypt all files on your computer

Contents

LMAS Ransomware targets to encrypt all files on your computer
- More about damage caused by this ransomware
- Ransomware Summary
Ransomware infection vectors: avoid getting infected
Remove LMAS ransomware virus safely and recover your files
Decrypt LMAS files
Frequently Asked Questions

LMAS ransomware is the newest addition to STOP/DJVU ransomware family (293rd version). This computer virus is made to encrypt all files on user’s computer with RSA algorithm, mark them with .lmas extension and then drop _readme.txt notes. For instance, file originally called 1.jpg becomes 1.jpg.lmas after encryption. On top of that, this malware performs other illegal activities, including installation of AZORULT Trojan, deletion of Volume Shadow Copies or modification of Windows HOSTS file. As stated in the _readme.txt file, cybercriminals behind this ransomware want the victim to pay a ransom ($490-$980 in Bitcoin) in exchange for file decryption tool. To get further instructions regarding the matter, the note suggests writing to one of provided email addresses: helpteam@mail.chor helpmanager@airmail.cc.

The ransom note briefly explains that all files have been encrypted with the “strongest encryption” and that the only way to restore these files is purchase LMAS decryption tool and key from the ransomware developers. The note suggests that without this software, pictures, videos, archives, databases and other important files will remain impossible to open. The note suggests testing the decryption tool by sending one small encrypted file via email attachment to provided addresses as well as the personal ID that’s included in the ransom note. The criminals promise to respond with a decrypted file version. This procedure is meant to convince the victim that it is “worth” paying the ransom.

The ransomware makes personal files inaccessible by encrypting them.

Speaking of the ransom price, the criminals suggest a 50% discount if the victim writes to them via first 72 hours from the infection timestamp. This way, the decryption software would cost $490. If the victim delays for more than 3 days, the ransom price bounces back to its full amount – $980 in Bitcoin. However, cybersecurity experts as well as FBI strongly advise against ransom payments. Some of the reasons why you shouldn’t transfer your money to criminals are:

If you pay the ransom, it doesn’t necessarily mean you will receive “promised” tools to decrypt your files. Even if you do, there’s a chance they won’t work properly.
The criminals might try to extort you repeatedly if they see that you’re willing to pay up. For example, they might threaten you by saying they have your private data and will publish it online if you won’t agree to transfer more money.
Transferring ransom payments to criminals might be considered illegal in your country.
Do not support cybercrime industry – this attracts more and more people join it and help to spread malware faster. The attackers collect millions in ransoms yearly.

More about damage caused by this ransomware

LMAS ransomware is capable of locking your files using cryptographic algorithms, but it isn’t the only malevolent task it completes upon arrival on your computer system. The malware is set to run Command Prompt commands to delete Volume Shadow Copies from your computer, thus preventing easy data recovery after the attack. In addition, the virus adds a list of domain names to Windows HOSTS file. This alteration helps to block specific websites so that the victim could no longer access them. The list includes variety of popular computer and tech-related websites, so our assumption is that the criminals are trying to stop the victim from searching for help online.

Additionally, this ransomware installs AZORULT password-stealer on the system. This is a Trojan with a wide set of functionalities, including, but not limited to stealing:

Steam and Telegram login credentials;
Cryptocurrency wallets;
Browser cookies as well as browsing history;
Saved passwords.

This Trojan can also be used as a remote access tool and perform the following activities on the compromised computer: view, delete or download files, drop malware and more. For this reason, it is important to clean your PC from malicious remains as soon as possible. We recommend you to remove LMAS ransomware virus along with installed malware using security software of your choice. To repair virus damage on the system and OS files, we strongly recommend downloading RESTORO.

SCAN WINDOWS SYSTEM

See Full Review

Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove detected issues manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.

Ransomware Summary

Name	LMAS Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	STOP/DJVU
Previous versions	VTYM, KQGS, XCBG, BPQD, EYRV, UIGD, VLFF (find full list here)
Version	293rd
Extension	.lmas
Damage	This ransomware virus is set to RSA-encrypt files on compromised computer or network. During the attack, the virus marks encrypted files with specific extension. Furthermore, the virus deletes system restore points and VSS to prevent victim from restoring files for free. Finally, the virus alters Windows HOSTS file to restrict access to certain websites online.
Ransom note	_readme.txt
Ransom demand	$490-$980 in Bitcoin
Distribution	This ransomware is distributed via torrent downloads, including software cracks, keygens or KMSPico.
Detection names	Trojan:Win32/Glupteba (Microsoft), Glupteba.Backdoor.Bruteforce.DDS (Malwarebytes), TR/AD.InstaBot.bfsbw (Avira), HEUR:Exploit.Win32.Shellcode.gen (Kaspersky), Trojan.GenericKD.36669904 (B)(Emsisoft), see all detection name variations on VirusTotal
Removal	Remove the ransomware with the help of trustworthy anti-malware program, then consider scanning with RESTORO to repair virus damage on Windows OS files.

DOWNLOAD RESTORO

The ransomware saves this _readme.txt note in every affected folder.

Ransomware infection vectors: avoid getting infected

LMAS ransomware distribution relies on illegal online downloads that many computer users search for – cracked software or game versions. The criminals tend to upload these to various file sharing websites and victims download them via various torrent clients without recognising malware in disguise. This technique is especially effective since computer users also tend to ignore security software’s warnings about potentially dangerous file. Unfortunately, upon opening such file, the ransomware gets downloaded from an external source and executed on the system.

STOP/DJVU victims report receiving a virus’ version after downloading a software crack.

Cybersecurity experts strongly advise getting software or game versions from official or confirmed sources only. Most of the time, criminals know which programs are paid but in high demand by computer users. This gives criminals an opportunity to lure potential victims by offering “free full versions” of such software. However, we suggest you to remember that if something seems too good to be true, it is most likely a scam. Do not get tricked by shady criminals and make sure you get programs or any downloads from legitimate sources only. Besides, software licenses cost way less than hefty ransoms that cybercriminals demand for file decryption.

Ransomware is also actively distributed via email spam in a form of attached file. Criminals tend to inject malicious scripts into DOCX, PDF, ACE, .JS and other format files. While the file might not be the ransomware itself, the malicious code in it can be designed to download the payload from specified URL and execute the ransomware on your computer. We suggest avoiding emails from unknown senders or suspicious ones that you did not expect to receive. Please remember that cybercriminals are extremely creative and leverage every possibility to deceive the potential victim based on nowadays topical issues such as COVID. For instance, with current situation worldwide, more people are shopping online. The criminals might distribute emails suggesting to review parcel info, invoice, or pending payment. Be careful and think twice before opening such emails.

Another popular technique to spread file-encrypting malware is by suggesting fake ransomware decryption tools. Criminals know that victims are desperately trying to find a way to decrypt their files, so they might disguise even more malware as decryption tools. Consequently, your files might become encrypted twice. One ransomware strain that was using this technique is called ZORAB.

Remove LMAS ransomware virus safely and recover your files

The primary task you need to complete is to remove LMAS ransomware virus and eradicate all other malicious remains from your computer. For this reason, we recommend using your preferred malware removal tool along with RESTORO to repair virus damage on the compromised computer. You should begin by booting your computer in Safe Mode with Networking first as explained in the comprehensive virus removal guide below.

Once LMAS ransomware removal is complete, we suggest using the advices provided below and restoring or repairing your files. Ideally, you should recover your files from a backup, but in case you didn’t create it prior to the attack, use other alternatives. Additionally, to improve your security we recommend changing your login credentials for accounts such as email, Steam or Telegram, Skype and other locations, especially those websites that you’ve asked your browser to save passwords for previously.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS

REMOVE & PROTECT WITH INTEGO

Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7.. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.

Use INTEGO Antivirus to remove detected threats from your computer.

Read full review here.

STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER

DOWNLOAD RESTORO

RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.

RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.

Read full review here.

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

LMAS ransomware virus Removal Guidelines

Method 1. Enter Safe Mode with Networking

Step 1. Start Windows in Safe Mode with Networking

Before you try to remove LMAS ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.

Instructions for Windows XP/Vista/7 users

First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.

Instructions for Windows 8/8.1/10/11 users

Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.

Step 2. Remove files associated with the virus

Now, you can search for and remove LMAS ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.

Special Offer

DOWNLOAD AND SCAN

Compatibility: Microsoft Windows
See Full Review

RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically.

Step 1. Boot Windows in Safe Mode with Command Prompt

Instructions for Windows XP/Vista/7 users

Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.

Instructions for Windows 8/8.1/10/11 users

Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.

Step 2. Start System Restore process

Wait until system loads and command prompt shows up.
Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
Click Yes to begin the system restoration process.

After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt LMAS files

Fix and open large LMAS files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

Create a copy of encrypted file to a separate folder using Copy > Paste commands.
Now, right-click the created copy and choose Rename. Select the LMAS extension and delete it. Press Enter to save changes.
In the prompt asking whether you want to make the changes as file might become unusable, click OK.
Try opening the file.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. LMAS ransomware virus is considered the new STOP/DJVU variant, just like VTYM, KQGS, XCBG, BPQD, EYRV, UIGD, VLFF (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.

Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.

In order to test the tool and see if it can decrypt LMAS files, follow the given tutorial.

Download the decryption tool from Emsisoft.
Click the little arrow next to your download and choose Show in Folder.
Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
In UAC window, click Yes.
Click Yes to agree to software terms in both windows.
The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
Click Decrypt to start restoring LMAS files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.

Meanings of decryptor's messages

The LMAS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:

Error: Unable to decrypt file with ID: [example ID]

This message typically means that there is no corresponding decryption key in the decryptor's database.

No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible

This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.

Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.

If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your LMAS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Report Internet crime to legal departments

Victims of LMAS ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.
In Australia, go to the SCAMwatch website.
In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
In Ireland, go to the An Garda Síochána website.
In New Zealand, go to the Consumer Affairs Scams website.
In the United Kingdom, go to the Action Fraud website.
In Canada, go to the Canadian Anti-Fraud Centre.
In India, go to Indian National Cybercrime Reporting Portal.
In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.

Another recommendation is to contact your country's or region’s federal police or communications authority.

Frequently Asked Questions

✓ How can I open .LMAS files?

You can only open LMAS files if you have the decryption key, or if you were affected by offline encryption type.

✓ How do I know if my files were encrypted with offline or online encryption?

To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.

✓ My files contain very important information (family memories). Every tool I used says it is impossible to decrypt. What should I do?

Please follow the guidances provided by the official LMAS decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).

✓ I am afraid virus is still in my computer system. What should I do?

We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.

✓ I saw several Youtube videos suggesting secret decryption tools. Can I trust them?

Beware of fake LMAS decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.