Lkhy ransomware is part of the Djvu/STOP ransomware family. It’s a type of malicious software that encrypts personal files and essentially takes them hostage. It’s considered to be very dangerous because file recovery is not always possible if no backup is available. 



When users open an infected file, the ransomware immediately begins file encryption. It targets all personal files, including photos, documents, videos, etc. Encrypted files are recognizable by the .lkhy extension. For example, an encrypted image.jpg file would become image.jpg.lkhy.

Files with the .lkhy extension will not be openable unless they’re first decrypted with a special decryptor. The process of acquiring the decryptor is explained in the _readme.txt ransom note that is placed in all folders that have encrypted files. The ransom note explains that to get the decryptor, victims first need to pay $999 in ransom. There’s supposedly a 50% discount for those who make contact with cybercriminals within the first 72 hours, as well as an option to decrypt one file for free as long as it does not contain any important information.

Below is the full ransom note for Lkhy ransomware:


Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:

Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that’s price for you is $499.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Users who do not have file backups may be considering paying the ransom. However, this is never recommended for a couple of reasons. First of all, victims who pay will not necessarily receive a decryptor. What users should keep in mind is that ransomware operators are cybercriminals. There are no guarantees that they will send a decryptor to those who pay because there is nothing to force them to keep their end of the deal. Unfortunately, many users in the past did not receive the decryptors they paid for. Furthermore, the money victims pay is used to finance other malicious activities, of which the same users may become victims.

As soon as users remove Lkhy ransomware from their computers, they can connect to their backups and start recovering files. It’s important to fully delete Lkhy ransomware with anti-malware software before accessing backup to avoid backed-up files from becoming encrypted as well. If users have no backup, their only option is to wait for a free Lkhy ransomware decryptor to be released.

How does ransomware infect users’ computers?

Malware infections, including ransomware, are distributed in several ways such as torrents and emails. Users who have good online habits are generally less likely to pick up an infection than those who engage in risky online behavior like using torrents to download copyrighted content. Developing better habits is one of the best preventative measures.

Ransomware is often distributed via email attachments. Cybercriminals add malware-infected files to emails and when users open said files, their computers become infected. Malicious emails that target a large number of users at the same time are usually quite obvious. The biggest giveaway is grammar/spelling mistakes. The emails are made to look like they’re sent by legitimate companies but because they’re full of mistakes, it becomes quite obvious that they’re fake. Malicious senders try to rush users into opening the attached file by claiming that it’s an important document that needs to be reviewed.

One thing users should take note of is how an email addresses them. If the sender claims to be from a company whose services users use but addresses users using generic words like Member, User, Customer, etc., the email is likely either spam or malicious. Legitimate emails would address users by name, or rather the name they have given the companies.

Some users may be targeted with more sophisticated attacks. Emails part of a sophisticated email campaign would look significantly more convincing, with no grammar/spelling mistakes, and specific information to make the email seem more credible. It’s highly recommended to scan all unsolicited email attachments with anti-malware software or VirusTotal before opening them. This would ensure that a malicious file is not opened on a device.

Malicious actors also use torrents to distribute malware. It’s a great way to spread malware because torrent sites are often poorly regulated, and many users cannot recognize malware in torrents. Most commonly, malware is found in torrents for entertainment content, including movies, TV series, and video games. Users are discouraged from pirating copyrighted content using torrents, and pirating in general, because it’s not only content theft but also dangerous for the computer.

Lkhy ransomware removal

Users with backup can start recovering files as soon as they remove Lkhy ransomware from the computer. Using an anti-malware program is recommended to delete Lkhy ransomware because it’s a very complex infection. If users try to do it manually, they could end up causing additional damage to their devices.

Once the computer is clean of ransomware, users can safely connect to their backups and start recovering files. For users with no backup, file recovery will not necessarily be possible. Users’ only option is to wait for a free Lkhy ransomware decryptor to be released. However, whether it will ever be released is not clear. If it does, it will be available on NoMoreRansom. If it cannot be found on NoMoreRansom, it will not be available anywhere else.

Lkhy ransomware is detected as:

  • Win32:BotX-gen [Trj] by AVG/Avast
  • Trojan.GenericKD.71636542 by Bitdefender
  • Trojan.MalPack.GS by Malwarebytes
  • Trojan:Win32/Amadey.AMBC!MTB by Microsoft
  • Trojan.GenericKD.71636542 (B) by Emsisoft
  • A Variant Of Win32/Kryptik.HWGZ by ESET
  • HEUR:Trojan-Ransom.Win32.Stop.gen by Kaspersky
  • Ransom.Win32.STOP.YXEBNZ by TrendMirco
  • Artemis!D473778B0F10 by McAfee

Site Disclaimer is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.

The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.

Leave a Reply