The ransom note briefly explains that all files have been encrypted with the “strongest encryption” and that the only way to restore these files is purchase LMAS decryption tool and key from the ransomware developers. The note suggests that without this software, pictures, videos, archives, databases and other important files will remain impossible to open. The note suggests testing the decryption tool by sending one small encrypted file via email attachment to provided addresses as well as the personal ID that’s included in the ransom note. The criminals promise to respond with a decrypted file version. This procedure is meant to convince the victim that it is “worth” paying the ransom. Speaking of the ransom price, the criminals suggest a 50% discount if the victim writes to them via first 72 hours from the infection timestamp. This way, the decryption software would cost $490. If the victim delays for more than 3 days, the ransom price bounces back to its full amount – $980 in Bitcoin. However, cybersecurity experts as well as FBI strongly advise against ransom payments. Some of the reasons why you shouldn’t transfer your money to criminals are:
If you pay the ransom, it doesn’t necessarily mean you will receive “promised” tools to decrypt your files. Even if you do, there’s a chance they won’t work properly.The criminals might try to extort you repeatedly if they see that you’re willing to pay up. For example, they might threaten you by saying they have your private data and will publish it online if you won’t agree to transfer more money.Transferring ransom payments to criminals might be considered illegal in your country.Do not support cybercrime industry – this attracts more and more people join it and help to spread malware faster. The attackers collect millions in ransoms yearly.
More about damage caused by this ransomware
LMAS ransomware is capable of locking your files using cryptographic algorithms, but it isn’t the only malevolent task it completes upon arrival on your computer system. The malware is set to run Command Prompt commands to delete Volume Shadow Copies from your computer, thus preventing easy data recovery after the attack. In addition, the virus adds a list of domain names to Windows HOSTS file. This alteration helps to block specific websites so that the victim could no longer access them. The list includes variety of popular computer and tech-related websites, so our assumption is that the criminals are trying to stop the victim from searching for help online. Additionally, this ransomware installs AZORULT password-stealer on the system. This is a Trojan with a wide set of functionalities, including, but not limited to stealing:
Steam and Telegram login credentials;Cryptocurrency wallets;Browser cookies as well as browsing history;Saved passwords.
This Trojan can also be used as a remote access tool and perform the following activities on the compromised computer: view, delete or download files, drop malware and more. For this reason, it is important to clean your PC from malicious remains as soon as possible. We recommend you to remove LMAS ransomware virus along with installed malware using security software of your choice. To repair virus damage on the system and OS files, we strongly recommend downloading RESTORO.
Ransomware Summary
Ransomware infection vectors: avoid getting infected
LMAS ransomware distribution relies on illegal online downloads that many computer users search for – cracked software or game versions. The criminals tend to upload these to various file sharing websites and victims download them via various torrent clients without recognising malware in disguise. This technique is especially effective since computer users also tend to ignore security software’s warnings about potentially dangerous file. Unfortunately, upon opening such file, the ransomware gets downloaded from an external source and executed on the system. Cybersecurity experts strongly advise getting software or game versions from official or confirmed sources only. Most of the time, criminals know which programs are paid but in high demand by computer users. This gives criminals an opportunity to lure potential victims by offering “free full versions” of such software. However, we suggest you to remember that if something seems too good to be true, it is most likely a scam. Do not get tricked by shady criminals and make sure you get programs or any downloads from legitimate sources only. Besides, software licenses cost way less than hefty ransoms that cybercriminals demand for file decryption. Ransomware is also actively distributed via email spam in a form of attached file. Criminals tend to inject malicious scripts into DOCX, PDF, ACE, .JS and other format files. While the file might not be the ransomware itself, the malicious code in it can be designed to download the payload from specified URL and execute the ransomware on your computer. We suggest avoiding emails from unknown senders or suspicious ones that you did not expect to receive. Please remember that cybercriminals are extremely creative and leverage every possibility to deceive the potential victim based on nowadays topical issues such as COVID. For instance, with current situation worldwide, more people are shopping online. The criminals might distribute emails suggesting to review parcel info, invoice, or pending payment. Be careful and think twice before opening such emails. Another popular technique to spread file-encrypting malware is by suggesting fake ransomware decryption tools. Criminals know that victims are desperately trying to find a way to decrypt their files, so they might disguise even more malware as decryption tools. Consequently, your files might become encrypted twice. One ransomware strain that was using this technique is called ZORAB.
Remove LMAS ransomware virus safely and recover your files
The primary task you need to complete is to remove LMAS ransomware virus and eradicate all other malicious remains from your computer. For this reason, we recommend using your preferred malware removal tool along with RESTORO to repair virus damage on the compromised computer. You should begin by booting your computer in Safe Mode with Networking first as explained in the comprehensive virus removal guide below. Once LMAS ransomware removal is complete, we suggest using the advices provided below and restoring or repairing your files. Ideally, you should recover your files from a backup, but in case you didn’t create it prior to the attack, use other alternatives. Additionally, to improve your security we recommend changing your login credentials for accounts such as email, Steam or Telegram, Skype and other locations, especially those websites that you’ve asked your browser to save passwords for previously. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove LMAS ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove LMAS ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt LMAS files
Fix and open large LMAS files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. LMAS ransomware virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt LMAS files, follow the given tutorial.
Meanings of decryptor’s messages
The LMAS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your LMAS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of LMAS ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.