A decryptor for the LooCipher Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. If you were infected with LooCipher, do not pay the ransom and instead follow the instructions below.
LooCipher is installed through malicious Word documents that download the executable and execute it. Once executed, the ransomware will encrypt a victim's data and append the .lcphr extension to encrypted file's names.
The ransomware would then display a LooCipher Decryptor screen that contains a countdown until your key will allegedly be deleted, as well as a button to check if a payment has been made.
If you are infected with this ransomware, you can utilize the instructions below to get your files back for free.
If you were infected with the LooCipher Ransomware and still have the encrypted files, simply download the decrypt_LooCipher.exe program from the following link and save it on your desktop: This decryptor was created by Michael Gillespie with the assistance from Francesco Muroni.
This decryptor does not need the LooCipher.exe program running, so if it is still running you should terminate the process and delete the file so it does not start again.
Once downloaded, run the program with administrative privileges in order to decrypt all the files that were targeted by the ransomware. Once started, agree to the license agreement and you will be at the bruteforcer screen where it asks you to select an encrypted file and the same file in its unencrypted form.
If you do not have an encrypted/unencrypted pair, I suggest people you use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder. These images are commonly encrypted by a ransomware and their unencrypted versions can easily be downloaded from another computer.
To make it easier, I have created a repository of the Windows 7 sample pictures here: https://download.bleepingcomputer.com/public-sample-pictures/sample-pics.zip. If you find Windows 8 or Widows 10 use different files, let me know and I will upload a repository from those operating systems.
Once you select the files, the Start button will become available and you should click on it to start brute forcing the decryption key. This process can take a while, so please be patient while it performs the brute forcing.
When a key has been found, it will display it in a small alert as shown below.
At the above window, click on the OK button and the decryptor will restart with the key loaded.
Once ready, click on the Decrypt button to begin the decryption process. The decryptor will now search the computer for encrypted files that end with the .lcphr extensions and automatically decrypt them.
When it has finished, the Results tab will state Finished and all of your files should now be decrypted. If you need help getting this decryptor to work, feel free to ask in the comments.