March 22, 2017
A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.
In summary, the LLTP Ransomware has the ability to work in online or offline mode. So regardless of whether there is a connection to the Internet, the ransomware will still encrypt a victim's files. Furthermore, unlike most ransomware, this family assigns different extensions to encrypted files based upon the file's original extension.
Unfortunately, at this time there is no way to decrypt this ransomware for free.
How the LLTP Ransomware Encrypts a Computer
When first started, the LLTP ransomware will connect to its Command & Control server located at http://moniestealer.co.nf and send the victim's computer name, user name, and the identifier string "lltp2.4.0". From the lltp2.4.0 string, I am making the assumption that the ransomware developers consider this version 2.4.0 of the ransomware.
When the ransomware connects to the C2 server, the C2 server will respond with a AES password that is used to encrypt the victim's files and an ID that will be inserted into the ransom notes. If the ransomware is unable to connect with the C2 server, then the ransomware itself will generate this information.
The encryption password is then encrypted using an embedded public RSA encryption key and saved in a file called %UserProfile%\AppData\Local\Temp\tlltpl.tlltpl as shown below.
Saving the Encryption Key to tlltpl.tlltpl
Below is the current embedded RSA key used to encrypt the victim's AES password.
The LLTP ransomware will now proceed with encrypting the victim's files using AES-256 encryption. Unlike most ransomware, this family utilizes a different extension for encrypted files depending on the file's original extension. With LLTP, if a file contains one of the following extensions it will append the .ENCRYPTED_BY_LLTP extension to the encrypted file.
If a file has one of these extensions, then it will use the .ENCRYPTED_BY_LLTPp extension.
When encrypting a file it will take the original filename, Base64 encode it, and then append the appropriate extension based on the file types listed above. For example, a file named Wildlife.wmv will be encrypted to a file named V2lsZGxpZmUud212.ENCRYPTED_BY_LLTPp.
While encrypting files, it will skip any files located in the following folders:
The ransomware will also create a folder called %Temp%\lltprwx86\ and extract into it a file called encp.exe, which is a renamed copy of Rar.exe. It will then create a subfolder called vault and make a copy of all the files encrypted with a .ENCRYPTED_BY_LLTPp extension. When finished, it will use the encp.exe to create a password protected RAR archive of the vault folder. The password for this archive will be the same 32 character passwords used to encrypt the files. The reason for creating this archive is currently unknown.
The command used to create the password protected archive is:
When the encryption process is done, LLTP will delete the shadow volume copies on the computer to prevent a victim from recovering files. It does this by issuing the following command:
It will also extract a file called RansomNote.exe and store it on the desktop. It will then create an autostart so that this program run automatically when a user logs into Windows. When executed, this program will display a Spanish ransom note to the victim as shown below.
Spanish Ransom Note
It will also extract a text ransom note on the desktop called LEAME.txt.
Leame.txt Ransom Note
Finally the ransom will download a jpg file from http://i.imgur.com/VdREVyH.jpg and use it as the desktop background.
As previously said, unfortunately at this time the LLTP Ransomware does not look like it can be decrypted.
Files associated with the LLTP Ransomware:
Registry entries associated with the LLTP Ransomware:
LLTP Lock Screen Ransom Note Text:
LEAME.txt Ransom Note Text: