IT security professionals has received multiple reports of Litar file virus infection. It is a new variant of malicious software that infects a system, restricts user access to documents, photos and music, by encrypting them, until a ransom is paid to unlock (decrypt) them. This article will provide you with all the things you need to know about ransomware virus, how to remove Litar file virus from your computer and how to restore (decrypt) encrypted photos, documents and music for free.
Files encrypted by .Litar ransomware virus
Litar ransomware virus is a new generation of crypto virus that encrypts photos, documents and music on harddisks and attached network disks, then requires crypto currency (Bitcoins) for payment to decrypt them . It is known to encrypt almost all file types, including files with extensions:
.kdc, .wpl, .zif, .cer, .psk, .wsd, .rgss3a, .rtf, .zabw, .ods, .ai, .wri, .zip, .hkx, .rim, .d3dbsp, .xf, .mdb, .xdl, .x3f, .bar, .wmf, .mddata, .vdf, .zip, .yal, .cdr, .cas, .ntl, .desc, .xwp, .lrf, .mdf, .lvl, .sid, .rofl, .wp7, .odb, .erf, .wn, .docx, .m2, .xlsx, .pdd, .wma, .3ds, .zdb, .wsc, .ppt, .arw, .ltx, .wotreplay, .fpk, .fos, .wps, .xls, .bkp, .vpk, .apk, .map, .dazip, .w3x, .mdbackup, .rwl, .cr2, .png, .rw2, .xls, .2bp, .hvpl, .xld, .raw, .ptx, .wpa, .ibank, .wmv, .syncdb, .wpe, .t13, .hplg, .txt, .pfx, .wsh, .pptm, .das, .xll, .wav, .crt, .menu, .accdb, .snx, .odc, .1st, .iwi, .wpw, .p12, .itl, .7z, .cfr, .mp4, .pak, .webp, .p7b, .ztmp, .wbc, .asset, .ysp, .vcf, .odm, .wcf, .csv, .wpb, .bkf, .3fr, .hkdb, .0, .rar, .icxs, .wp5, .bay, .fsh, .mlx, .xlsm, .pdf, .doc, .mpqge, .ff, .nrw, .dwg, .wp4, .wma, .esm, .xmind, .epk, .bik, .sr2, .x, .z3d, .bsa, .zw, .wmo, .db0, .wmd, .wm, .wpd, .flv, .wbd, .avi, .kdb, .ws, .ybk, .y, .xlsb, .kf, .css, .litemod, .wp6, .der, .wbz, .vtf, .t12, .gdb, .pst, .re4, .vfs0, .qdf, .m4a, .wpd, .xy3, .mrwref, .iwd, .sie, .dcr, .r3d, .wbm, .m3u, .wbk, .svg, .mef, .wbmp, .srw, .jpe, .sidd, .sql, .ncf, .dba, .odt, .forge, .xlsx, .xdb, .pef, .xbdoc, .p7c, .bc6, .wp, .xpm, .sum, .blob, .xml, .rb, .wdb, .bc7, .wps, .sis, .psd, .itm
Upon successful encryption, it appends the .litar extension to the file name of its encrypted file. The ransomware also creates a text file named ‘_readme.txt’ in each folder. This file is a ransom instructions. The ransom note asks for money in the form of bitcoins. The content of the ransom instructions is below:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-i9Z5mq0D52 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Litar |
| Type | Crypto malware, File locker, Crypto virus, Ransomware, Filecoder |
| Encrypted files extension | .litar |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980, $490 in Bitcoins |
| Symptoms | Photos, documents and music won’t open. Your files now have a odd extension. Files called like ‘_readme.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. You have received instructions for paying the ransom. |
| Distribution ways | Spam mails that contain malicious links. Malicious downloads that happen without a user’s knowledge when they visit a compromised web-page. Social media, like web-based instant messaging programs. Misleading webpages. |
| Removal | To remove Litar ransomware use the removal guide |
| Decryption | To decrypt Litar files use the free Litar decryption tool |
In the guide below, I have outlined few methods that you can use to remove Litar ransomware from your machine and restore (decrypt) .litar files for free.
Quick links
- How to remove Litar crypto malware
- How to decrypt .litar files
- Litar decryption tool
- How to restore .litar files
- How to protect your PC system from Litar ransomware virus?
- Finish words
How to remove Litar file virus
Before you start the process of restoring photos, documents and music that has been encrypted, make sure Litar file virus is not running. Firstly, you need to remove this ransomware permanently. Happily, there are several malicious software removal utilities which will effectively look for and uninstall .Litar virus and other crypto virus malicious software from your PC.
How to uninstall Litar file virus with Zemana AntiMalware
Zemana Free is a free malware removal utility. Currently, there are two versions of the tool, one of them is free and second is paid (premium). The principle difference between the free and paid version of the utility is real-time protection module. If you just need to check your personal computer for malicious software and uninstall .Litar file virus, other malware, worms and trojans, then the free version will be enough for you.
First, please go to the link below, then click the ‘Download’ button in order to download the latest version of Zemana.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is complete, close all apps and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as displayed on the screen below.
When the install starts, you will see the “Setup wizard” that will help you install Zemana Anti Malware on your PC system.
Once installation is complete, you will see window as displayed in the figure below.
Now click the “Scan” button to perform a system scan for the Litar file virus, other malicious software, worms and trojans. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, adware or potentially unwanted programs are found, the number of the security threats will change accordingly. Wait until the the checking is complete.
When the checking is done, the results are displayed in the scan report. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Free will remove Litar virus and other security threats and add threats to the Quarantine.
Automatically remove Litar file virus with MalwareBytes Anti Malware
You can remove Litar ransomware virus automatically with a help of MalwareBytes Free. We suggest this free malware removal utility because it can easily delete ransomware virus, adware, malicious software and other unwanted apps with all their components such as files, folders and registry entries.
- First, please go to the link below, then click the ‘Download’ button in order to download the latest version of MalwareBytes AntiMalware.
Malwarebytes Anti-malware
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is done, close all applications and windows on your computer. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once setup is done, click the “Scan Now” button . MalwareBytes Anti Malware (MBAM) tool will begin scanning the whole PC system to find out Litar virus related files, folders and registry keys. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your system and the speed of your PC system. During the scan MalwareBytes Anti-Malware will scan for threats exist on your personal computer.
- Once MalwareBytes Anti Malware (MBAM) completes the scan, MalwareBytes Free will show a list of all threats detected by the scan. Review the report and then press “Quarantine Selected”. When the procedure is done, you may be prompted to restart your system.
The following video offers a steps on how to delete hijackers, adware and other malicious software with MalwareBytes Anti-Malware.
Scan your computer and delete Litar file virus with KVRT
KVRT is a free removal utility that can be downloaded and use to remove crypto malwares, adware, malicious software, potentially unwanted programs, toolbars and other threats from your PC. You can run this tool to search for threats even if you have an antivirus or any other security application.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Microsoft Windows desktop.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is finished, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool program will scan through the whole machine for the Litar file virus and other malware. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour.
When the scan is complete, you’ll be displayed the list of all found items on your machine as displayed in the figure below.
Make sure all threats have ‘checkmark’ and click on Continue to begin a cleaning task.
How to decrypt .litar files
The encryption algorithm is so strong that it is practically impossible to decrypt .litar files without the actual encryption key. Should you pay the ransom? A majority of cyber security specialists will reply immediately that you should never pay a ransom if affected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all files!
Files encrypted by .Litar ransomware virus
With some variants of Litar file virus, it is possible to decrypt encrypted files using free tools.
Michael Gillespie (@) released the Litar decryption tool named STOPDecrypter. It can decrypt files if they were encrypted by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Litar decryption tool
STOPDecrypter is a program that can be used for Litar files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Litar files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt encrypted files, in some cases, you have a chance to recover your files, which were encrypted by the Litar file virus. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .litar files
In some cases, you can recover files encrypted by Litar crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Restore .litar encrypted files using Shadow Explorer
The MS Windows has a feature called ‘Shadow Volume Copies’ that can help you to recover .litar files encrypted by the Litar ransomware. The way described below is only to restore encrypted personal files to previous versions from the Shadow Volume Copies using a free tool called the ShadowExplorer.
First, please go to the following link, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438666 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like the one below.
Double click ShadowExplorerPortable to start it. You will see the a window like below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as displayed on the image below.
Recover .litar files with PhotoRec
Before a file is encrypted, the Litar crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore programs such as PhotoRec.
Download PhotoRec from the link below.
Once the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as displayed below.
Select a drive to recover similar to the one below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music such as the one below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from Litar ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from Litar ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, visit the page linked below, then press the ‘Download’ button in order to download the latest version of HitmanPro Alert.
Once the downloading process is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is started, you’ll be displayed a window where you can choose a level of protection, as displayed on the image below.
Now click the Install button to activate the protection.
Finish words
Now your computer should be clean of the Litar crypto malware. Delete Kaspersky virus removal tool and MalwareBytes AntiMalware (MBAM). We recommend that you keep Zemana Anti-Malware (ZAM) (to periodically scan your system for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Litar crypto virus from your computer, then ask for help here.
