LKHY Virus Ransomware (.lkhy File) – 3 Easy Ways To Decrypt & Remove

LKHY virus belongs to one of the most widespread ransomware-type malware families – STOP/Djvu. It gets into Windows PC, encrypts your files (to LKHY file), and adds a ransom note (readme.txt file) in each folder with ciphered files. Malware is considered one of the most dangerous since it can counteract different ways of file recovery.

In this post, I will explain what happened and show you how to remove the LKHY malware from your computer. In addition, you will see several ways of file recovery after the ransomware attack.

What is LKHY Virus?

LKHY ransomware is a malicious software that aims at user’s files and encrypts it with a strong cipher (AES-256), disables antivirus tools, and deletes the backups. Each file – Word document, Excel table, or photo – will receive a LKHY file extension. Hence, the file “photo.jpg” will turn into “photo.jpg.lkhy”. Then, it generates a ransom note named _readme.txt and adds it to every folder with encrypted files on your desktop. On that note, you will see the message about a malicious event and the instructions for a ransom payment. It looks like this:

Readme.txt file of LKHY Virus Ransomware
_readme.txt file created by LKHY ransomware


Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Do not ask assistants from youtube and recovery data sites for help in recovering your data.
They can use your free decryption quota and scam you.
Our contact is emails in this text document only.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that's price for you is $499.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

LKHY ransomware shares the same habits with the majority of other STOP/Djvu ransomware examples. This family appeared in 2018 and accounted for over 70% of all ransomware attacks on individuals. It is a trendsetter in its industry and has a bunch of features that are typical for any other ransomware group that attacks individual users. Ransom sum, notification manner, precautions done to avoid the backup usage – all these things are now the same everywhere. But they have initially appeared thanks to the Djvu ransomware.

How did I get the LKHY malware?

The vast majority of malware that attacks single users opt for the same spreading tactics. STOP/Djvu ransomware, particularly the LKHY variant, is not an exclusion. The most common ways of spreading are different software cracks, unlicensed programs, and dubious tools from the Internet. In particular, they apply the tactics of creating a single-use site where currently popular things are posted. New Marvel films, new games, or tools for Windows 11 activation – the basis for such a dummy appear daily. Search spam techniques boost this page’s search results, making it the most popular in the related requests. A link for direct or torrent downloading contains the payload on the same site.

Disk with encrypted lkhy files
Disk with encrypted lkhy files

Cybercriminals who distribute this ransomware initially inject the downloader malware, which acts as a precursor for further malware. It disables the security mechanisms that can potentially stop the ransomware or make it troublesome to infect the system. Disabling the Windows Defender, applying certain networking changes, and adjusting the Group Policies. The last action is done to restrict the execution of installation files of the programs, generally – antivirus solutions.

LKHY Virus Encryption Process

ransomware continues to change the system after being injected with the downloader. In particular, LKHY ransomware disables the most popular backup methods (Volume Shadow Copies and OneDrive backups). It blocks access to certain websites where the victim can find the solution. After that, ransomware starts the encryption process. According to the code of leaked STOP/Djvu samples, it performs the ciphering in a step-by-step manner. First, ransomware scans the folders on your disk. If it detects the files it can cipher, it connects to the server, asks for the encryption key, and starts the encryption. When the process is over, it goes back to the scanning process.

The encryption mechanism used by the LKHY ransomware is AES-256. That standard is opted by a lot of security technologies. For example, your traffic is encrypted with that cipher when connected to the website through an HTTPS connection. It is not the strongest, but you cannot decrypt it on modern computers. With the end-to-end encryption at the stage of connection to the server used by this ransomware, it is impossible to intercept the decryption key. Nonetheless, that does not mean you cannot get your files back.

STOP/Djvu Ransomware actions scheme

LKHY ransomware finishes the last portion of encryption. It applies several more actions to provide a bigger persistence. The original executable file is getting cloned to a directory far away from the typical ones chosen by malware. Temp or ProgramFiles directories are checked even by the simplest antiviruses, so ransomware puts its files in deeper and less familiar places.

How to remove LKHY and protect yourself from ransomware?

Ransomware is one of the most sophisticated malware types. It is difficult to detect, and the removal process must be performed with maximum diligence. The LKHY virus is known for blocking the executable files of security programs from launching. This blocking is not proactive and is based on the changes it makes before the encryption. Hence, you must circumvent this barrier and fix it after the ransomware is removed. And it is vital to remove the virus before taking any other actions – otherwise, ransomware will revert your changes.

The best malware-removing software for this purpose is Loaris Trojan Remover. This application can remove the ransomware threat from your PC and repair the system after the attack. It has an advanced scanning mechanism that consists of three different modules that can detect ransomware in any form. Additionally, you will be able to check up on all suspicious places with the Custom Scan function – it will scan the designated directory in just a minute.

It is important to mention that circumventing the ransomware that blocks the executive files launch requires booting into Safe Mode with Networking. You can download the installer before booting or after it – that will not matter at all.

To boot your PC into the Safe Mode, you must open the Troubleshooting panel. Press Win→Power, and then click on the Restart button while holding the Shift key. After that, you will see the Troubleshooting screen. Go to Startup Settings → Windows 10 Safe Mode with Networking. Press Enter and wait till your system is loading.

Reboot into Safe Mode

Safe Mode in Windows supposes the system loading without certain modules, in particular – the startup programs and a part of Group Policies. This mode is convenient for malware removal since it prevents the launch of programs not listed as systems and nails the majority of restrictions implemented by malware.

Remove ransomware with Loaris Trojan Remover

When your PC is booted into Safe Mode, launch the Loaris installation file and wait until the program is installed. It may take several minutes. After that, the program will offer you to activate a free trial. This action is recommended since it allows you to use the full functionality of the Trojan Remover. Just put your email address and receive a free trial code.

Trojan Remover main screen
Trojan Remover Main Screen

When the trial is activated, launch the full scan. It may last for 20-30 minutes, so keep patience. You can use your computer during this operation without any restrictions.

Loaris scan for LKHY files

After the scan, you will see the list of detected threats. By default, the program designates suitable actions for each detection. In particular, for the LKHY virus, it is a removal. However, you can manage these actions by clicking on the label on the right side of the detection if you think some detected items may need a different action.

LKHY Ransomware Removal Process

How to decrypt LKHY files?

That’s not a lot you can do with the files encrypted by LKHY ransomware if everything is done properly. This malware supposes the use of two key types – online and offline. The former is the main one, and it is used in the majority of cases. It consists of 256 symbols and is unique for each victim. LKHY virus receives it from the command server each time it tries to cipher another folder in the file system. However, when it fails to connect to the server – because it is down or there are connectivity issues – the files are ciphered with an offline key. The offline key is always single for each variant, so all victims whose files were encrypted with the offline key can be saved.

Emsisoft offers a tool to decrypt the files after the STOP/Djvu attack. The developer’s team collects the leaked offline and online keys. It is 100% free to use since the company performs this action on a voluntary basis.

Decrypt your files with Emsisoft Decryptor for STOP Djvu

Download and install Emsisoft Decryptor for STOP Djvu from the developer’s website. Then, open the application and make some primary setup. You need to specify the folders where the ciphered files are stored. Then, you can press “Decrypt” and watch for the results.

Emsisoft Decryptor for STOP Djvu
File decryption process

During the decryption process, you can spectate certain messages from the program. Let’s check them out:

  • ☞ Remote name could not be resolved

    That message stands for the error in resolving the Emsisoft servers’ DNS. Since the program does not bring the database of keys and receives it from the cloud, it needs a stable Internet connection. In case of this error, try to reset your HOSTS file and try again.

  • ☞ No key for New Variant online ID: [your ID]

    Notice: This is an online ID. Decryption is impossible.

    The worst-case scenario – you have your files ciphered with the online key. It is unique for each victim. Hence you cannot decrypt the files with the Emsisoft tool.

  • ☞ No key for New Variant offline ID: [example ID]

    This ID appears to be an offline ID. Therefore, decryption may be possible in the future.

    The footnote for this message explains a lot. You are lucky enough since your files were ciphered with an offline ID, but there is no key leaked for your case yet. Keep patience and wait. The key may appear in several weeks.

  • ☞ Error: Unable to decrypt file with ID: [your ID]

    That message means that the Emsisoft program failed to find the corresponding key for your case. Still, that is not the worst situation – it may still appear in the future.

Get your files back with file recovery tools

The decryptor I described above is not the only option for recovering the files. Because of the specific algorithm applied by ransomware during the ciphering process, , it is possible to recover the files with file recovery tools. I will recommend PhoroRec as a free and effective solution.

STOP/Djvu ransomware does not encrypt the exact file. It copies the original document, ciphers it, then deletes the original and substitutes it with an encrypted copy. Meanwhile, the file storing techniques allow for recovering the deleted files from the disk. Deleting the files from the operating system usually means deleting the information about the file location on the disk from the file system. At the same time, the disk still keeps the residue of the file – until the corresponding area will not be filled with the other one, validated by the file system.

PhotoRec is a tool that searches for these residual file parts and recovers them. It can dig out the rest of the files you have deleted earlier, but it is much better to get your important data back and delete the excessive files. Let’s see how to use it properly.

Using PhotoRec to recover .LKHY files

Download PhotoRec from the official website. It is free and spread together with the other tool from this developer – TestDisk. Since it is portable, you don’t need to install it – just unzip the downloaded archive and open the folder. In it, find the qphotorec_win.exe file and launch it.

Photorec Tool

In the program, you must set up before each disk scan. First, choose the disk or the partition you want to scan from the drop-down menu in the upper part of the window. Then, you need to specify the folder for the recovered files. It is recommended to dump all recovered files to a USB flash drive. Finally, you need to specify the file formats you want to recover. PhotoRec recovers over 400 different formats, but opting for all will significantly increase the scan time. It is recommended to opt-in only for the file types you need.

File Recovery for LKHY

Frequently Asked Questions

🤔How to decrypt the online ransomware ID?

Unfortunately, there is no way to decrypt the online ID in a regular way. The encryption LKHY ransomware uses too tough; decrypting it with modern computers will take millions of years. The most promising way to get your files back in the case of online ID is to use file recovery tools, as shown above.

🤔Should I pay for the ransomware?

It may look like an obvious solution, but it is a bad idea. First, by paying the ransom, you automatically sponsor the crooks, their activity, and the appliance for the money they will receive (usually the similar outlaw activity). The other problem is that ransomware operators are not always honest and may ask you to pay once more to get the decryption key. From the legal point of view, you are clear, but there are enough moral principles to break through.

🤔How to protect from ransomware?

Ransomware is an enormously dodgy malware, so preventive methods, as well as ways to revert the attack, must be applied as well. Most attacks happen through fake sites, where hacked programs or movie camrips are spread. In some rare cases, crooks spread their ransomware by offering malicious files on various forums or chats. Cutting these sources, i.e., avoiding these files, is the best way to decrease the ransomware hazard by orders of magnitude.

Dealing with the ransomware attack aftermath must also be a point of concern. Having your data backed up regularly will solve the problem of data accessibility after the attack. Using the special software that will synchronize your data with cloud storage after each workday will decrease the time lag for the backup. Meanwhile, the standard backup methods, like OneDrive or Volume Shadow Copies, are ineffective since ransomware disables them even before the encryption.

🤔Is Loaris able to decrypt LKHY files?

Loaris Trojan Remover is only capable of removing the LKHY ransomware and fixing your PC after the attack. It is not a decryption tool and does not have any capabilities to revert the ciphering process. To try to decrypt the files, use the offered decryption tool.

🤔Are LKHY files dangerous?

They are the same as the files you used to see on your disk. The only thing which was changed by the ransomware is ciphering of the file header, which contains the key information for the file system to recognize and read it. Overall, they are not infected, like in the case of a computer virus attack – they just received a malicious alteration. You may keep them on your disk without any concerns regarding your PC security.

Leave a Comment