'.L1LL File Extension' Ransomware

The '.L1LL File Extension' Ransomware is a file-locking Trojan that can keep your media files from opening by encrypting them. These attacks include ransoming messages in Notepad's TXT format that sell the criminal's decryption help through TOR-based communications. Users can back their files up elsewhere for saving media that's of any value and use their anti-malware products for uninstalling the '.L1LL File Extension' Ransomware or stopping infections.

All the Files Getting Ill with L1LL

File-locker Trojan infections in the less-than-common target region of Estonia are getting verification from various parts of the cyber-security industry, although hard samples of its campaign are in low supply. The responsible threat, the '.L1LL File Extension' Ransomware, has no family that malware analysts could confirm as of late March, although it shows some basic formatting in common with the much older Yyto Ransomware. Its threat actors seem either familiar with Ransomware-as-a-Service infrastructure or are using pre-generated templates for parts of the '.L1LL File Extension' Ransomware's payload.

The '.L1LL File Extension' Ransomware's encryption method is unanalyzed and may use Salsa20, AES-256, RSA or other methods of blocking your documents, images, music and other media. Besides the conventional adding of its extension at the ends of filenames, it also inserts text referencing its ransoming note ('read@help.txt') through a format that isn't usual for Ransomware-as-a-Service threats like the Crysis Ransomware, the Globe Imposter 2.0 Ransomware, or the Scarab Ransomware. No other, significant symptoms are verifiable although many file-locker Trojans include features such as pop-ups currently, hijacking the desktop's wallpaper or deleting backups.

While its means of referencing it is unusual, malware researchers find the contents of the '.L1LL File Extension' Ransomware's ransoming message very standard. The English-based instructions recommend downloading the TOR anonymity-facilitating browser and provide links for their sites and e-mails regarding the ransoming negotiations but don't state a price. Similarly to, for instance, the Globe Ransomware, the '.L1LL File Extension' Ransomware offers a 'sample,' which could be the only way of getting at least one or two of your files unlocked without paying.

Getting the Ransoms Out of Ransomware

Estonian file-locker Trojans are somewhat rare but not unknown; readers from two years ago may be familiar with the Kaandsona Ransomware's operations in the same country as the '.L1LL File Extension' Ransomware. However, the '.L1LL File Extension' Ransomware's payload doesn't seem configured for only that nation and could block documents and similar media hostage throughout most of the world. All of its victims to date are running Windows PCs.

Nearly all types of file-locking Trojans, whether they're part of a growing Ransomware-as-a-Service business or independent projects, accept ransoms through difficult or impossible to refund means like the ubiquitous Bitcoin cryptocurrency. Victims paying these ransoms aren't sure of getting their decryptor and the accompanying unlocking of their files for doing so. Anti-malware utilities, while they should be capable of uninstalling the '.L1LL File Extension' Ransomware or blocking an infection, can't decrypt your media.

The '.L1LL File Extension' Ransomware's campaign seems that it's in its opening phase, but with victims, already, the users should be quick to back up their files. The country you're living in may be large or small, but a vulnerable computer with unsaved content is a great target for any criminal's Trojan campaign.