.Lapoi file extension ransomware virus (Restore, Decrypt .lapoi files)

What is a Lapoi file? A file with the .lapoi extension is a file that has been encrypted by Lapoi ransomware that similar to other ransomware (like Darus, Tocue, Gusau and so on). These security threats are also known as crypto viruses that use very strong hybrid encryption with a large key in order to encrypt users’ files. It is not possible to open the files by simply changing the file extension. The personal files will be decrypted only if victims pay for the private key that will decrypt these files.

The Lapoi file virus is a new ransomware, that is made to be implemented into the user’s personal computer in order to lock files like video materials, drawings, archives, documents, web application-related files, database and photos, by using complex digital algorithm. In case of infection with this ransomware virus, the user will not be able to unlock files on his own, even by renaming them. Lapoi ransomware virus locks up almost of files, including common as:

.xdl, .wma, .bc6, .vpk, .xmind, .dmp, .3dm, .wsc, .esm, .ybk, .wpe, .wbc, .wbz, .xx, .fsh, .bsa, .wpd, .1, .mddata, .rw2, .mov, .wm, .dazip, .cr2, .jpeg, .wpw, .bar, .icxs, .wot, .zdc, .zif, .wbmp, .upk, .webp, .epk, .wri, .ptx, .litemod, .xyw, .3ds, .lrf, .wav, .zip, .wp6, .der, .mrwref, .zi, .pdd, .wp7, .xml, .svg, .webdoc, .ntl, .xyp, .ws, .cas, .ztmp, .rgss3a, .z, .odm, .gdb, .lbf, .doc, .wmf, .xls, .csv, .syncdb, .wdp, .mdb, .xpm, .db0, .sid, .rofl, .wma, .wbd, .ai, .arch00, .ff, .yal, .7z, .qdf, .xll, .wotreplay, .py, .ysp, .zip, .p7c, .sidd, .zdb, .pem, .0, .m3u, .sie, .m4a, .r3d, .eps, .dwg, .xlsm, .sum, .hvpl, .xdb, .orf, .lvl, .rwl, .ppt, .itdb, .mpqge, .pkpass, .js, .2bp, .psk, .menu, .dxg, .y, .xf, .blob, .indd, .x3d, .itl, .x3f, .bik, .wbm, .xlgc, .cdr, wallet, .x3f, .xy3, .bc7, .xbplate, .odc, .sis, .slm, .accdb, .txt, .zw, .itm, .layout, .p7b, .vfs0, .dba, .docm, .z3d, .dcr, .iwi, .xlk, .sql, .kdc, .wcf, .flv, .sav, .sb, .xld, .srw, .bkp, .pptm, .srf, .ltx, .png, .odt, .t13, .xbdoc, .xlsb, .arw, .pak, .das, .big, .w3x, .odb, .m2, .3fr, .xls, .wire, .mp4, .yml, .1st, .xwp, .mdbackup, .fpk, .dng, .vdf, .hkdb, .xlsm, .wpl, .bkf, .wmd, .wp5, .xlsx, .wpa, .apk, .tor, .vtf, .wps, .dbf, .xxx, .erf, .desc, .pst, .mdf, .gho, .wpb, .crw, .psd, .p12, .wsd, .docx, .jpg, .map, .rar, .xar, .jpe, .d3dbsp, .wbk, .wpd, .pef, .wdb, .pptx, .wmo, .zabw, .wmv, .kdb, .wmv, .vpp_pc, .rtf, .crt, .snx, .wps, .tax, .pdf, .vcf, .x, .ods, .raw, .hkx, .mcmeta, .asset, .mef, .nrw, .sr2, .wgz, .hplg, .wsh, .cfr, .wp4, .wpt, .ibank, .sidn, .wn, .re4, .kf, .rim, .ncf

Lapoi ransomware encrypts users’ files using complex ciphered combination, overwrites most of the content of the original files with the encrypted data and adds the .lapoi extension to every encrypted file. The victim who sees the files with .lapoi extension understands that they are encrypted and will remain so until he pays the attackers the required amount of money for obtaining a special key that will restore the files. Usually, the developers of the Lapoi leave a ransom message called ‘_readme.txt’ to users who have infected their computer with this crypto virus, indicating the required amount of ransom.

 

Threat Summary

Name	Lapoi file virus, Lapoi ransomware
Type	Crypto malware, Filecoder, Crypto virus, Ransomware, File locker
Encrypted files extension	.lapoi
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch, @datarestore (telegram)
Ransom amount	$980 in Bitcoins
Symptoms	Windows Explorer displays a blank icon for the file type. Files called such as ‘_readme.txt’, ‘READ-ME’, or ‘_readme” in every folder with an encrypted file.
Distribution methods	Unsolicited emails that are used to deliver malware. Malicious downloads that happen without a user’s knowledge when they visit a compromised web-page. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a suspicious link). Torrent web sites.
Removal	To remove Lapoi ransomware use the removal guide
Decryption	To decrypt Lapoi ransomware use the steps

 

After reading this blog post, you will know how to deal with the Lapoi ransomware. It is important for you to remember that we also cannot guarantee you an absolute solution to all your Lapoi ransomware problems. We can suggest you a solution that might help. Nevertheless, this solution is worth your attention because there is still a possibility that it will help you delete Lapoi and decrypt personal files that have been encrypted with crypto malware.

Quick links

1. How to remove Lapoi virus
2. How to decrypt .lapoi files
3. Lapoi decryption tool
4. How to restore .lapoi files
5. How to protect your PC system from Lapoi ransomware?

How to remove Lapoi virus

There are a few solutions that can be used to uninstall Lapoi virus. But, not all crypto viruses such as this ransomware can be completely deleted utilizing only manual ways. In many cases you’re not able to delete any ransomware virus utilizing standard Windows options. In order to delete Lapoi you need run reliable removal tools. Most IT security experts states that Zemana Anti-malware, Malwarebytes or KVRT utilities are a right choice. These free programs are able to search for and remove Lapoi ransomware from your PC system for free.

How to remove Lapoi file virus with Zemana Free

Zemana Anti-Malware is a program that is used for crypto malware, spyware, adware, trojans, worms, malicious software and other security threats removal. The program is one of the most efficient antimalware tools. It helps in crypto virus removal and and defends all other types of malware. One of the biggest advantages of using Zemana Anti-Malware (ZAM) is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and check your personal computer with Zemana Anti-Malware (ZAM) in order to delete Lapoi from your personal computer.

1. Zemana can be downloaded from the following link. Save it on your Windows desktop.
   
   

   Zemana AntiMalware
   164028 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. At the download page, click on the Download button. Your browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
3. After the downloading process is done, please close all apps and open windows on your computer. Next, launch a file named Zemana.AntiMalware.Setup.
4. This will open the “Setup wizard” of Zemana Free onto your PC. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the Zemana Anti Malware will launch and open the main window.
6. Further, click the “Scan” button to start checking your PC system for the Lapoi crypto malware, other malicious software, worms and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer.
7. When finished, the results are displayed in the scan report.
8. Next, you need to click the “Next” button. The tool will start to remove Lapoi ransomware, other kinds of potential threats such as malware and trojans. When disinfection is complete, you may be prompted to reboot the computer.
9. Close the Zemana Anti-Malware (ZAM) and continue with the next step.

How to automatically delete Lapoi with MalwareBytes Anti Malware (MBAM)

We recommend using the MalwareBytes Free. You can download and install MalwareBytes Anti Malware (MBAM) to look for and remove Lapoi from your PC system. When installed and updated, this free malicious software remover automatically identifies and removes all threats exist on the computer.

MalwareBytes Anti-Malware can be downloaded from the following link. Save it on your MS Windows desktop.

After the download is finished, run it and follow the prompts. Once installed, the MalwareBytes will try to update itself and when this process is complete, click the “Scan Now” button to perform a system scan with this tool for the Lapoi ransomware virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your computer. When a malware, adware or PUPs are detected, the number of the security threats will change accordingly. Wait until the the scanning is complete. Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected” button.

The MalwareBytes Anti-Malware (MBAM) is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal utility, we recommend you to read and follow the step-by-step tutorial or the video guide below.

If the problem with Lapoi ransomware is still remained

KVRT is a free portable application that scans your system for adware, potentially unwanted software and crypto viruss like Lapoi and allows uninstall them easily. Moreover, it’ll also help you delete any harmful web-browser extensions and add-ons.

Download Kaspersky virus removal tool (KVRT) from the link below. Save it to your Desktop.

After the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the KVRT screen as on the image below.

Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool utility will begin scanning the whole system to find out Lapoi crypto malware and other trojans and harmful programs. This task may take some time, so please be patient. While the KVRT program is scanning, you can see number of objects it has identified as threat.

After Kaspersky virus removal tool has finished scanning your personal computer, you’ll be displayed the list of all found threats on your system as shown on the image below.

All found items will be marked. You can remove them all by simply click on Continue to begin a cleaning procedure.

How to decrypt .lapoi files

As mentioned earlier, the ransom payment is the only way to unlock .lapoi files, unfortunately. After the victim transfers the specified amount of money (usually $490, or $980 in Bitcoins) to the online criminals, they provide a special code key to decrypt the locked data.

Never pay the ransom! Some victims, wishing to decrypt encrypted files, pay the ransom amount of money to online criminals. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a special code key and Lapoi decryption tool to decrypt .lapoi files or increase the amount of ransom is high enough.

It is not necessary to pay the creators of the Lapoi crypto malware a ransom payment, the best option in case of infection of this ransomware virus is to archive the files that were affected by it, until the moment of obtaining a free Lapoi decryption utility. On this post below you will find useful guidance on how to recover encrypted documents, photos and music for free.

Lapoi decryption tool

With some variants of Lapoi ransomware, it is possible to decrypt encrypted files using free tools listed below.

Michael Gillespie (@) released the Lapoi decryption tool named STOPDecrypter. It can decrypt .Lapoi files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.

STOPDecrypter is a program that can be used for Lapoi files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Lapoi files using this free tool.

1. Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
   download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
2. After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
3. Further, select ‘Extract all’ and follow the prompts.
4. Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.

If STOPDecrypter does not help you to decrypt .Lapoi files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.

How to restore .lapoi files

In some cases, you can recover files encrypted by Lapoi ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.

Recover .lapoi files with ShadowExplorer

An alternative is to restore .lapoi documents, photos and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing files that were encrypted by Lapoi ransomware virus. The guidance below will give you all the details.

Visit the page linked below to download the latest version of ShadowExplorer for Windows. Save it directly to your Microsoft Windows Desktop.

When the download is finished, extract the downloaded file to a folder on your computer. This will create the necessary files as shown on the image below.

Run the ShadowExplorerPortable program. Now select the date (2) that you wish to recover from and the drive (1) you wish to recover files (folders) from as displayed on the image below.

On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and click the Export button like the one below.

And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.

Run PhotoRec to recover .lapoi files

Before a file is encrypted, the Lapoi ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore apps such as PhotoRec.

Download PhotoRec on your MS Windows Desktop from the link below.

After the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as displayed on the screen below.

Select a drive to recover similar to the one below.

You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown in the figure below.

Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.

Next, click Browse button to select where recovered files should be written, then click Search.

Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is done, press on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed on the image below.

All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to protect your PC system from Lapoi ransomware?

Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Use HitmanPro.Alert to protect your PC system from Lapoi crypto virus

All-in-all, HitmanPro.Alert is a fantastic tool to protect your machine from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from MS Windows XP to Windows 10.

Visit the page linked below to download the latest version of HitmanPro.Alert for MS Windows. Save it to your Desktop.

After downloading is done, open the folder in which you saved it. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. When the tool is launched, you’ll be displayed a window where you can choose a level of protection, as shown in the figure below.

Now click the Install button to activate the protection.

To sum up

Now your computer should be free of the Lapoi crypto malware. Delete MalwareBytes Free and KVRT. We suggest that you keep Zemana Free (to periodically scan your personal computer for new malware). Make sure that you have all the Critical Updates recommended for MS Windows operating system. Without regular updates you WILL NOT be protected when new ransomware virus, harmful apps and adware are released.

If you are still having problems while trying to delete Lapoi ransomware virus from your computer, then ask for help here.