How to remove Lukitus virus and restore encrypted files

Lukitus is the second version of Locky ransomware that was released this month, and we can clearly see that its creators are going to make more. The virus is almost identical to the previous version: the only difference is a slightly modified ransom note, and another file extension: .lukitus. Obviously, hackers are trying to slow the progress of researchers in hacking the virus, and therefore will continue to make minor changes to its code. So far, there is no evidence of progress in research, so users should only hope for the best.


Lukitus ransomware virus


Until the decryption program is created, users affected by the virus should focus not on recovering files but on removing the virus from the computer itself and on protecting against re-infection. As you understand, it is much easier to protect yourself from the virus than to later deal with the results of its actions. There are only two most popular methods of infection, which are preferred by the creators of ransomware. The second most popular way is to use zero-day vulnerabilities to penetrate the system. In this way the WanaCry virus spread, and this allowed its creators to earn hundreds of thousands of dollars in a short period of time. The only drawback of this method is that such vulnerabilities are quickly removed by software developers, and new vulnerabilities that are suitable for infection are not so easy to find. A more reliable method depends not on flaws in software structure, but on the human factor: this is an infection through e-mail. Scammers send out false letters, composed in such a way that the user wants to open a file attached to the letter with the virus. It is in this way that all versions of Locky, including Lukitus, penetrated the computers of the victims, and therefore we will focus on it. Here are a few simple and effective tips to help you protect your computer from getting infected with ransomware:


  • The easiest way to protect yourself from fraud is to create separate mailboxes for various activities. For example: one box for communicating with friends, one for work and one for registering on websites. Scammers do not know who owns the mailbox to which they send spam, and act at random, while you will know that on your personal e-mail you will never receive a working letter and vice versa. So you will filter out most of the dangerous letters.
  • If, however, you are going to open a message with an attached file, not being sure that it is safe - you should use the so-called sandbox programs. Such programs exist both separately and as part of the functionality of antivirus suites and some mail services. The sandbox allows you to open a file in quarantine, not allowing it to affect the system and infect it. Such a program should be used when opening all letters containing files.
  • If the virus already penetrated the computer, then you can protect against it, or rather - get the ability to restore the files. The bottom line is simple: do not use an account with administrator rights. Having penetrated into the system and encrypting the files, the virus will try to remove the shadow copies with which you can restore the files. Deleting copies requires administrator privileges and user confirmation, and if the copies are not deleted, you can later easily recover all the data.
  • If the virus has penetrated the system, and you, using an account with administrator rights, have confirmed the removal of shadow copies, only backups can save you. If important information is stored on your PC, backup is the most reliable way to protect data. Just save important files on external media and disconnect it from the computer. In this case, even if the virus penetrates the system, you can easily remove it, and then download the backup.


Lukitus ransomware virus


These four simple tips will help you prevent infection, or cope with it in one of the intermediate stages. In the event that the files are already encrypted, you can only wait for the experts to hack into the scam site and get the master encryption key. However, even if you are going to pay a ransom (which we do not recommend to you, as there are no guarantees of data recovery after it is paid), you still need to remove the virus from your computer so that you can use it in normal mode.

How to delete Lukitus Virus

Removing viruses like Lukitus is almost impossible to do manually, because in case of an error the virus will fully recover and, possibly, completely delete all files. To avoid this, we advise you to use our instructions very attentively. Execute exactly each step described in the instructions, and after a few minutes you will completely get rid of the virus and can again safely use the computer. Alternative way is to use special antivirus scanner that delete malware components completely.


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

How to restore files encrypted by Lukitus

In this guide we have already mentioned that the user whose machine is captured with encrypting virus has only one entirely reliable way to restore files: to upload the backups. You should try these ways if there's no another choice, but be ready that they may fail. The main advantage of backup copies is that they are kept on the separate media, and are not available for viral impact.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore


Other manners depend on the OS in-built services, and their efficiency may be minimized by the virus itself and the lack of skill. We can suggest you two more decryption techniques. You can use the shadow copy service, or a special program to restore the data. Decryption using the special decryptor is very efficient, but unfortunately, such a tool doesn't yet exist. News about the advancement in the creation of the program might be seen on EmsiSoft, MalwareHunterTeam and Kaspersky lab official web-pages. By-hand restore using Shadow Volume Copies might be made immediately. You can use the built-in Windows functionality, however, there are other programs that will make this task simpler. These tools are called Recuva and ShadowExplorer. Both of them are free, you might find them from the official websites, with detailed guide for their use.




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [3 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience