Litar Ransomware

Litar Ransomware Description

The Litar Ransomware is a variant of the STOP Ransomware, also known as Djvu. The Litar Ransomware encrypts your documents and other files and demands payment in return for decrypting them. The Litar Ransomware leaves a file called _readme.txt on the infected system's desktop with instructions on how to pay the ransom.

How the Litar Ransomware Attack Works

The Litar Ransomware can be identified by the signature extension ".litar" it appends to infected files. The Litar Ransomware typically targets the following file extensions:

.litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpeg, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi.

The Litar ransom note follows the same pattern as most other ransomware of this class:

  • Inform the user their files have been encrypted.
  • Offer to decrypt one file for free (this requires a download of yet another unsafe software).
  • State a price to be paid for complete decryption.
  • Offer a discount for quick payment.
  • List some ways to contact the attacker.
  • An identifying key.

The Litar Ransomware is spread through spam email and other methods that require a user to download something. It exploits vulnerable devices and operating systems without a good, up-to-date third-party anti-virus software. The Litar Ransomware spam emails have been reported as spoofing shipping companies like FedEx. The email states that a package delivery was not completed due to some reason, or sometimes it may pretend that a package you've sent was delivered. The email contains a link to a file download or an attached file that you might open. Once opened, the malware spreads aggressively throughout the system.

The Litar Ransomware also has been reported to attack in a slightly different way: opening up a Remote Desktop Connection and then attempting to access a password-protected system using password-cracking software.

Sample Ransom Note

'ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-hvv30uAtTY
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
gorentos@bitmessage.ch
Reserve e-mail address to contact us:
ferast@firemail.cc
Our Telegram account: @datarestore
Your personal ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

Protecting Yourself from the Litar Ransomware

Always check where the files you download from the Internet are from or your email came from. Spam usually comes from obviously fake sources, and the links are easily detected as fake by reading or googling them. A device also may get infected with the Litar Ransomware through downloaded torrent files with threatening software. Always keep good third-party anti-virus software installed on all your devices. Anti-virus software requires virus definitions which might be updated daily. Make sure you download all the updates for your protective software. It also is generally a good idea to keep important data backed up in a separate location and always on multiple devices or the cloud.

My Device has been Infected. What do I do Now?

You should never reach out to the email addresses mentioned in the ransomware. Like most malware, the chances of recovering files encrypted by it are negligible, and at best, you will be opening your machine up for a further invasion of your privacy and devices. You should stop putting new software, documents, or other files on the infected system immediately and use an anti-0virus or anti-malware tool to remove the threat before attempting any recovery. You should format your hard drive to be certain absolutely that any malware has been removed permanently.

One Comment

  • mihda:

    i was use spyhunter 4, but the file can'not decryp with this, my file encrypt with LITAR VIRUS RANSOME, Please help me