LooCipher

A decryptor for the LooCipher Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. If you were infected with LooCipher, do not pay the ransom and instead follow the instructions below.

LooCipher is installed through malicious Word documents that download the executable and execute it. Once executed, the ransomware will encrypt a victim's data and append the .lcphr extension to encrypted file's names.

The ransomware would then display a LooCipher Decryptor screen that contains a countdown until your key will allegedly be deleted, as well as a button to check if a payment has been made. 

LooCipher GUI
LooCipher GUI

If you are infected with this ransomware, you can utilize the instructions below to get your files back for free.

Decrypting the LooCipher Ransomware

If you were infected with the LooCipher Ransomware and still have the encrypted files, simply download the decrypt_LooCipher.exe program from the following link and save it on your desktop: This decryptor was created by Michael Gillespie with the assistance from Francesco Muroni.

img
LooCipher Decryptor

This decryptor does not need the LooCipher.exe program running, so if it is still running you should terminate the process and delete the file so it does not start again.

Once downloaded, run the program with administrative privileges in order to decrypt all the files that were targeted by the ransomware.  Once started, agree to the license agreement and you will be at the bruteforcer screen where it asks you to select an encrypted file and the same file in its unencrypted form.

LooCipher Bruteforcer screen
Bruteforcer screen

If you do not have an encrypted/unencrypted pair, I suggest people you use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder.  These images are commonly encrypted by a ransomware and their unencrypted versions can easily be downloaded from another computer.

To make it easier, I have created a repository of the Windows 7 sample pictures here: https://download.bleepingcomputer.com/public-sample-pictures/sample-pics.zip. If you find Windows 8 or Widows 10 use different files, let me know and I will upload a repository from those operating systems.

Once you select the files, the Start button will become available and you should click on it to start brute forcing the decryption key. This process can take a while, so please be patient while it performs the brute forcing.

Brute forcing the LooCipher decryption key
Brute forcing the LooCipher decryption key

When a key has been found, it will display it in a small alert as shown below.

LooCipher Decryption key found
LooCipher Decryption key found

At the above window, click on the OK button and the decryptor will restart with the key loaded.

Decryptor
Main Decryptor Screen

Once ready, click on the Decrypt button to begin the decryption process. The decryptor will now search the computer for encrypted files that end with the .lcphr extensions and automatically decrypt them.

Decrypting Files
Decrypting Files

When it has finished, the Results tab will state Finished and all of your files should now be decrypted. If you need help getting this decryptor to work, feel free to ask in the comments.

Related Articles:

The Week in Ransomware - July 26th 2019 - State of Emergency

The Week in Ransomware - June 21st 2019 - Backup, Backup, Backup!

No More Ransom Success Story: Saves $108+ Million in Ransomware Payments

New LooCipher Ransomware Spreads Its Evil Through Spam

Release of GandCrab 5.2 Decryptor Ends a Bad Ransomware Story