L54 Ransomware

L54 Ransomware Description

The L54 Ransomware is another threat spawned from the MedusaLocker malware family. Although the L54 Ransomware lacks any meaningful improvements or additions, this new MedusaLocker Ransomware variant is still powerful enough to cause severe damage to infected devices. By initiating an encryption process with an uncrackable cryptographic algorithm, the threat can render nearly all of the information stored on the computer inaccessible and unusable effectively. The goal of the hackers is to then extort their victims for money in exchange for a promise to send the decryption key and tool that could restore the files.

All files impacted by the threat will have their original names modified. The L54 Ransomware will mark them by appending '.L54' as a new extension. After it is done encrypting data, the malware will create a new html file named 'HOW_TO_RECOVER_DATA.html.' It will carry the ransom note of the threat.

Ransom Note's Details

According to the message, L54 uses a combination of the AES and RSA algorithms when encrypting files. Victims are warned that modifying, renaming, or trying to restore the locked files with third-party tools could lead to permanent damage. In addition, the hackers state that they have managed to obtained sensitive data from the compromised devices that will be released to the public or sold to interested parties if their demands are not met. To contact the attackers, users are provided with a link leading to a site hosted on the TOR network and two email addresses - 'ithelp02@decorous.cyou' and 'ithelp02@wholeness.business.' The note concludes with another warning, this time stating that after 72 hours has passed, the price of the ransom will go up.

The full text of the note is:

'YOUR PERSONAL ID:

/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Note that this server is available via Tor browser only

Follow the instructions to open the link:

Type the addres "hxxps://www.torproject.org" in your Internet browser. It opens the Tor site.

Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.

Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onio

Start a chat and follow the further instructions.

If you can not use the above link, use the email:
ithelp02@decorous.cyou
ithelp02@wholeness.business

To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.
'