This tool does not work if you restart your computer after the infection
Decryption tool for the LooCipher Ransomware
- Find the Process ID (PID) of the LooCipher ransomware
- Open
cmd(the tool does not require elevated (Administrator) privileges) - Move to the path where this tool was downloaded
- In the
cmdprompt, typeZLAB_LooCipher_Decryptor.exe <PID>
Due to the continuing LooCipher infection campaign, we proceeded to release the decryptor in the shortest possible time in order to help the victims infected in the previous phase. So, the tool is a Beta release and it is still composed by an unsigned executable. We will provide to release some updates as soon as possible.
Thanks to Fortinet for their analysis about LooCipher obfuscation flaw. The tool embeds parts of Fortinet script.
The latest release and source code is available at: https://www.yoroi.company/download.html