LMAOxUS Ransomware

The LMAOxUS Ransomware is a ransomware Trojan based on an open source ransomware Trojan released on Github and known as Stolich. Stolich is a project started by Ahmad Kazi, a programmer that goes by the online handle of 'empinel.' Stolich itself is a version of EDA2, another open source ransomware engine made public in recent years. The LMAOxUS Ransomware is derived from these free open source ransomware Trojans and is being used to attack computer users that participate in the computer game Minecraft. The LMAOxUS Ransomware is being distributed by disguising it as a cracked version of this famous computer game.

The LMAOxUS Ransomware - A Pompous Name of a Mere Threat

The LMAOxUS Ransomware is very similar to many variants of EDA2 that have already been active. The LMAOxUS Ransomware scans the victim's computer and makes a list of all files that will be encrypted in its attack. Using a strong encryption algorithm, the LMAOxUS Ransomware encrypts the victim's data, using a combination of the AES and RSA encryptions. The LMAOxUS Ransomware communicates with its Command and Control server to make the decryption key inaccessible to the computer user completely. The LMAOxUS Ransomware demands the payment of a ransom in exchange for the decryption key needed to recover the affected files. The LMAOxUS Ransomware's ransom note is contained in a text file named 'LMAO_READ_ME.txt' that is delivered to the infected computer's desktop. The LMAOxUS Ransomware also will attempt to connect to the website 'lmaoxus.gg' using the infected computer's default Web browser. The infected computer's desktop will be changed to a message on a black background with the following text:

'you've been
rekt by
LAMOxUS
better open that text file on your desktop if you ever
want to open your files again'

The LMAOxUS Ransomware's text based ransom note contains the following information:

'You've been rekt by LMAOxUS. your Personal Identifier is [RANDOM CHARACTERS]
Keep it handy if you want your data.
Visit - for more info.
Your expiration date is: [RANDOM CHARACTERS]'

The LMAOxUS Ransomware's website was removed from the Web shortly after the LMAOxUS Ransomware was first uncovered. However, it is likely that this website will pop-up again at another address. The text on this website read as follows:

'You've been hit by LMAOxUS
But there's still hope for you.
Send 0.1 BTC to 1Jek8L6HRj3pNpcAasgoV37eoHqLUMyYjU
Use any payment processor you want. I recommend Coinbase or Blockchain.info. If BTC is too hi-tech for you, send me an email, I'm sure we can work something out.
Once done, send an email to lmaoxus@safe-mail.net with the transaction details.

Listen fam. I don't care about your data. My goal is not to cause harm or to fuck with people just for the hell of it.
I'm just a broke college student in need of money. I have nothing personal against you. I promise I'll fix your data once I get payment.
If for whatever reason you're even more broke than me, well shoot me an email and give me your best sob story. I do have a heart.
Otherwise, you have until the date listed in your notepad until the server automatically deletes your decryption key.
After that date, there's nothing I can do.
So I wouldn't waste any more time. :)'

Dealing with the LMAOxUS Ransomware

It is advised that computer users do not pay the LMAOxUS Ransomware ransom. Fortunately, to date, it seems that the BitCoin wallet associated with the LMAOxUS Ransomware attack has received no payments. The best protection against the LMAOxUS Ransomware and other ransomware Trojans is to have backup copies of all files. Having backups allows computer users to ignore the extortionists' ransom demands completely since they can simply restore the affected files from the backup copy after removing the LMAOxUS Ransomware infection itself a security program that is fully up-to-date.