.Luces file extension ransomware (Restore, Decrypt .luces files)

Cyber security specialists discovered a new variant of ransomware, which called Luces ransomware. It appends the .luces file extension to encrypted file names. This article will provide you a brief summary of information related to this new ransomware virus and how to recover, decrypt .luces files for free.

Luces ransomware is a malware that created in order to encrypt personal files. It hijack a whole computer or its data and demand a ransom in order to unlock (decrypt) them. The makers of the .Luces ransomware have a strong financial motive to infect as many systems as possible. The files that will be encrypted include the following file extensions:

.rwl, .zip, .wsc, .tax, .gho, .wire, .itl, .csv, .qdf, .psd, .pptm, wallet, .vfs0, .x3f, .lbf, .cr2, .wbk, .sr2, .bc7, .bay, .pptx, .fpk, .raf, .ncf, .ods, .wbc, .vpp_pc, .iwd, .dxg, .iwi, .zabw, .qic, .cas, .yml, .ws, .xy3, .xf, .db0, .fos, .sb, .wbd, .m4a, .wb2, .xls, .bsa, .tor, .mdb, .odt, .mef, .vdf, .1, .wmo, .z, .wcf, .3dm, .xlsm, .accdb, .lvl, .z3d, .dbf, .xar, .dba, .3fr, .arw, .apk, .pdd, .crt, .nrw, .icxs, .t13, .fsh, .zif, .odb, .wpd, .srw, .1st, .desc, .wpb, .y, .upk, .yal, .bar, .rar, .jpeg, .pst, .jpg, .png, .txt, .wp5, .x, .sie, .xlsb, .xbplate, .dwg, .dng, .jpe, .kdb, .r3d, .sql, .xx, .layout, .mddata, .cer, .zdc, .srf, .xls, .slm, .wbm, .mdf, .psk, .xmind, .hkx, .rgss3a, .bkf, .p7c, .pak, .ppt, .p7b, .rofl, .xlsx, .wmd, .wps, .wp6, .kf, .der, .lrf, .xdl, .m2, .pef, .wdp, .vtf, .wps, .webp, .indd, .sis, .wgz, .odc, .3ds, .wpe, .odm, .rtf, .xll, .zdb, .zi, .mdbackup, .wm, .kdc, .syncdb, .gdb, .wp7, .t12, .menu, .wp, .cdr, .orf, .esm, .xlsm, .p12, .wot, .zw, .cfr, .xmmap, .asset, .sav, .zip, .sid, .docm, .xpm, .das, .pem, .mp4, .arch00, .2bp, .erf, .wn, .snx, .hplg, .xdb, .mcmeta, .wpd, .mov, .pdf, .ntl, .xlgc, .ibank, .forge, .ltx, .flv, .wpt, .m3u, .xyp, .xml, .css, .xlsx, .wri, .re4, .d3dbsp, .wsh, .xlk, .sum, .wbmp, .xwp, .wma, .xxx, .ysp, .wma, .wmv, .7z, .rw2, .crw, .wpa, .avi, .blob, .mrwref, .mpqge, .vcf, .ybk, .hkdb, .wsd, .hvpl

Once the encryption procedure is complete, it will drop a ransom instructions called “_readme.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransom instructions is:

Instructions that is shown below, will help you to remove .Luces ransomware virus as well as recover encrypted personal files stored on your computer drives.

Quick Links

1. How to remove .Luces ransomware virus
2. How to decrypt .luces files
3. Use STOPDecrypter to decrypt .luces files
4. How to restore .luces files
5. How to protect your computer from .Luces ransomware?
6. To sum up

How to remove .Luces ransomware virus

Most commonly it is not possible to remove the .Luces ransomware manually. For that reason, our team developed several removal solutions which we’ve summarized in a detailed tutorial below. Therefore, if you have the .Luces ransomware on your machine and are currently trying to have it removed then feel free to follow the step-by-step guide below in order to resolve your problem. Some of the steps below will require you to shut down this web page. So, please read the step-by-step guide carefully, after that bookmark or print it for later reference.

Remove .Luces ransomware virus with Zemana Anti-malware

Zemana Anti-malware is a utility that can remove viruses, ransomware, trojans, worms and other malware from your computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of system resources.

Zemana can be downloaded from the following link. Save it on your Windows desktop.

After the download is finished, close all programs and windows on your PC system. Double-click the setup file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed in the following example, click the “Yes” button.

It will open the “Setup wizard” that will help you setup Zemana AntiMalware (ZAM) on your computer. Follow the prompts and don’t make any changes to default settings.

Once installation is done successfully, Zemana Anti-Malware (ZAM) will automatically start and you can see its main screen as shown in the figure below.

Now press the “Scan” button to start scanning your personal computer for the .Luces ransomware and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your computer.

Once that process is finished, Zemana Anti-Malware will produce a list of malicious software. You may remove items (move to Quarantine) by simply click “Next” button. The Zemana Anti Malware (ZAM) will delete .Luces ransomware related files, folders and registry keys. Once the procedure is complete, you may be prompted to reboot the PC system.

Remove Luces ransomware with MalwareBytes

Manual Luces ransomware removal requires some computer skills. Some files and registry entries that created by the ransomware can be not fully removed. We recommend that run the MalwareBytes AntiMalware (MBAM) that are fully free your computer of ransomware. Moreover, this free program will allow you to remove malicious software, potentially unwanted applications, adware and toolbars that your personal computer may be infected too.

Installing the MalwareBytes AntiMalware is simple. First you’ll need to download MalwareBytes Anti Malware (MBAM) by clicking on the following link.

After the downloading process is finished, close all programs and windows on your PC. Double-click the install file called mb3-setup. If the “User Account Control” dialog box pops up as shown in the figure below, click the “Yes” button.

It will open the “Setup wizard” which will help you install MalwareBytes Anti-Malware on your computer. Follow the prompts and don’t make any changes to default settings.

Once installation is finished successfully, click Finish button. MalwareBytes Anti-Malware will automatically start and you can see its main screen like below.

Now click the “Scan Now” button for checking your personal computer for the Luces ransomware and other kinds of potential threats. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. When a malware, adware software or potentially unwanted apps are detected, the count of the security threats will change accordingly.

After MalwareBytes has completed scanning, MalwareBytes AntiMalware will display a screen which contains a list of malware that has been found. Next, you need to click “Quarantine Selected” button. The MalwareBytes Anti-Malware (MBAM) will start to remove Luces ransomware and other malicious software. After that process is finished, you may be prompted to reboot the PC.

We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware to remove adware, browser hijacker and other malicious software.

Use KVRT to remove .Luces ransomware virus from the computer

KVRT is a free removal utility that can check your personal computer for a wide range of security threats such as the .Luces ransomware virus, adware as well as other malicious software. It will perform a deep scan of your machine including hard drives and MS Windows registry. When a malware is found, it will help you to remove all detected threats from your personal computer by a simple click.

Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop from the link below.

When the download is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as shown on the screen below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool application will scan through the whole computer for the .Luces ransomware virus and other trojans and harmful applications. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. While the Kaspersky virus removal tool is scanning, you can see number of objects it has identified either as being malicious software.

After that process is finished, KVRT will show a list of found items as on the image below.

When you’re ready, click on Continue to begin a cleaning process.

How to decrypt .luces files

The .Luces ransomware virus uses a strong encryption algorithm with long key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the developers of the .Luces ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.

We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.

With some variants of Luces Ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.

Use STOPDecrypter to decrypt .luces files

Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).

STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.luces).

Please check the twitter post for more info.

How to restore .luces files

In some cases, you can restore files encrypted by .Luces ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.

Run ShadowExplorer to restore .luces files

A free utility named ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can restore .luces personal files encrypted by the .Luces ransomware from Shadow Copies for free.

Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your system by clicking on the link below.

Once the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.

Start the ShadowExplorer utility and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the .Luces ransomware virus like below.

Now navigate to the file or folder that you want to restore. When ready right-click on it and press ‘Export’ button as on the image below.

Run PhotoRec to recover .luces files

Before a file is encrypted, the .Luces ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore applications such as PhotoRec.

Download PhotoRec from the link below. Save it to your Desktop.

When the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.

Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed on the screen below.

Select a drive to recover as displayed on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed on the image below.

Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.

Next, click Browse button to choose where recovered files should be written, then press Search.

Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the recovery is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents like below.

All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your computer from .Luces ransomware?

Most antivirus apps already have built-in protection system against the virus. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Run HitmanPro.Alert to protect your PC system from .Luces ransomware virus

HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

Click the following link to download HitmanPro.Alert. Save it to your Desktop so that you can access the file easily.

After the downloading process is finished, open the file location. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. After the utility is launched, you will be displayed a window where you can choose a level of protection, as shown below.

Now press the Install button to activate the protection.

To sum up

Once you have finished the step-by-step tutorial outlined above, your personal computer should be clean from .Luces ransomware and other malware. Your machine will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.