How To Remove L16 Ransomware And Restore Files

Remove L16 Ransomware From Infected System

OFFER
Is Your System Infected with L16 Ransomware?

Detect & Remove Threats with SpyHunter 5
Detect & Remove Threats with SpyHunter 5

L16 Ransomware is a highly infectious malware that is tough to be removed manually. Spyhunter scans the PC for malware for free but to remove threats you need to purchase its full version.

For more information on SpyHunter please review, steps to uninstall, EULA, Threat Assessment Criteria, and Privacy Policy. Spyhunter scans the PC for malware for free but to remove threats you need to purchase its full version.  

L16 Ransomware Brief

Threat Overview
Name L16 Ransomware, belongs to MedusaLocker Ransomware Family (See Full Report on VirusTotal)
Category Ransomware, Cryptolocker, Files-encrypting malware
Symptoms Users are restricted to access their files on the system. The data are encrypted with .L16 extension that will no more be accessible. A ransom note named as “HOW_TO_RECOVER_DATA.html” can be seen on the desktop and the directories were files are encrypted. Victims can contact the authors via Website on Tor network, ithelp02@decorous.cyou, and ithelp02@wholeness.business.
Occurrence Phishing emails that contains macro-enabled attachments, compromised websites,  visiting torrent links and downloading software cracks.
Severity Level High
Damages Loss of data stored on the PC, monetary loss, other malware infection can be stopped along with the main threat.
Removal To remove L16 Ransomware and other malware infections, we recommend to scan the computer with legitimate anti-malware program. We recommend using Spyhunter 5

What is L16 Ransomware?

L16 yet another destructive cryptolocker, that is designed to extort money from people by encrypting their files/data on the system.  It belongs to the MedusaLocker ransomware family, that uses RSA and AES encryption algorithms. After the encryption, the files are renamed with “.L16” extension that makes them inaccessible.

For example, a file originally named “home.jpg” will appear as “home.jpg.L16”.

Victims should also see a ransom note named as “HOW_TO_RECOVER_DATA.html” on the desktop screen and to the directories where encryption occurred.

L16 Ransomware Ransom Note

L16 Ransomware Ransom Note
L16 Ransomware Ransom Note

YOUR PERSONAL ID:

/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\
All your important files have been encrypted!
Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
* Note that this server is available via Tor browser only

Follow the instructions to open the link:
1. Type the addres “hxxps://www.torproject.org” in your Internet browser. It opens the Tor site.
2. Press “Download Tor”, then press “Download Tor Browser Bundle”, install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
4. Start a chat and follow the further instructions.

If you can not use the above link, use the email:
ithelp02@decorous.cyou
ithelp02@wholeness.business
* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON’T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

According to the L16’s ransom note,

It has invaded the network, and have encrypted various types of files/data on the system. The motive behind this is clear to demand ransom from users to provide the decryption key. It also states that they have their sensitive/personal data uploaded to their private server, so if they fail to pay the ransom, they will expose the data publicly.

For further details, it gives a link to download the TOR browser and open a specific address to make the payment. However, the sum is not specified, as it possibly depends upon the size of the encryption, but the victims need to contact within 72 hours of the attack.

How did ransomware infect my computer?

Ransomware attack is the most unfortunate thing for any computer user. As it often uses strong encryption algorithm to encrypt the data and demand ransom against the unique key to unlock them. They mostly spread via phishing email attachments, vulnerabilities, pirated software downloads, compromised websites, other Trojan-droppers and so on.

  • Phishing email campaigns: Such emails are spread out in bulk by the cybercriminals that contains a catchy subject line like job offers, government officials, fax, invoice and so on. They either contain a weblink or an attachment. The documents have macros enabled and hidden payloads which when runs on the target system can download the payloads of the malware and further install it.
  • Pirated Software Downloads: Yet another distribution tactics is fake software downloads from untrusted sources, torrent clients, shareware/freeware, pop-up ads that tricks into updating software apps.
  • Vulnerabilities: Cybercriminals are always keen to exploit any system flaws, bugs within the software or programs that inject their payloads via different ways. So, users should quickly patch them by updating the software and apps from the official website only.

How To Remove L16 Ransomware From Infected PC

Unfortunately, there are very less probability that you can decrypt your files as they need the decryption key. But in any case, paying ransom should never be your option. As there is no guarantee that the Ransomware authors provide the decryption key after getting the payment. They should never be trusted.

So, the best way to deal with Ransomware attack is to remove them and recover the files from backups. As till the L16 Ransomware is active on your system, if may keep on encrypting new files. So, the very first thing you should do is to remove it.  Below, you will find the removal solution and various recovery options that may help you to recover your files.

Automatic L16 Ransomware Removal:

Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

For more information on SpyHunter please review, steps to uninstall, EULA, Threat Assessment Criteria, and Privacy Policy. Spyhunter scans the PC for malware for free but to remove threats you need to purchase its full version. 

SpyHunter 5 is a powerful and certified malware detection and removal program. The program can identify various kinds of threats like malware, adware, browser hijacker, Potentially unwanted program, rootkits and so on. It provides real-time protection by continuously updating and adapting its detection so as to combat against new threats.  This tools is very easy to use and a very friendly user-interface, offering 24/7 customer support.

Follow the below instructions to scan with SpyHunter 5 and remove L16 Ransomware from Windows OS.

  • Click on the download button, to begin install the SpyHunter 5 anti-malware.
  • Follow the on-screen instructions to finish the installation process.
    Spyhunter 5 Download
    Spyhunter 5 Download
  • After that, the application will launch on your screen. In most of the cases, it starts the scan process quickly.
    Spyhunter 5 Scan Process
    Spyhunter 5 Scan Process
  • The first scan may take up few minutes, and will keep reporting you any malware or threats found on your system.
    Spyhunter 5 Scan Continue
    Spyhunter 5 Scan Continue
  • After the scan process completes, click on the “Next” to remove the threats.
    Spyhunter 5 Threat Detection
    Detect L16 Ransomware using Spyhunter 5
  • SpyHunter 5 allows free detection of threats. In order to remove them and activate other features, you need to purchase the full- license of the product.
    Spyhunter 5 Buy
    Spyhunter 5 Buy
  • We recommend you do so, if you want to secure your device from Ransomware, Adware, malware, and PUA. It also helps maintaining online privacy.

Manual Removal Instruction For L16 Ransomware:

If you want to go through the manual removal of L16 Ransomware, then follow the below steps carefully:

Step1: Preparing For the Removal of L16 Ransomware

Before manually removing the L16 Ransomware, you should first need to isolate your infected system from network and other external devices like hard drive, flash drives, to prevent further encryption.

Security experts also recommend keeping a copy of the Ransom note and encrypted files to a separate hard drive/Flash drive. Decrypting the files encrypted with Ransomware may not be possible until you get the unique key. So, better to remove the L16 Ransomware and wait for the experts to create a decryptor tool.

Remove External Devices:

To safety remove, all external devices or storage device, follow the steps below:

  • Go To “My Computer“, right-click on the connected SD Card, hard drive or Flash drive you see.
  • Select “Eject“:

Disconnect Your Computer from the internet:

You are connected to Internet via an ethernet cable, then just unplug it. And if you are connected via wireless network, then first click on the Wi-Fi icon on your taskbar, then click on “Disconnect“. However, if further stop any available connection to connect automatically, follow the steps below:

  • Type “Control Panel” on the search bar of your Taskbar, and choose “Network and Sharing Center“;
  • Next, from left-menu options, select “Change Adapter Settings“;
  • Now, select the network, right-click on it and choose “Disable“.

Identify The Ransomware Your System Is Infected With

Often, the Ransomware have different variants, but they belong to a particular Ransomware family. So, you can get some idea of the Ransomware name from the “Ransom Note” like  “_readme.txt“.

Some Ransom note specifies the name like “Your files have been encrypted by Locky Ransomware”. So, here the extension may not be exactly “.locky” but it can be some random alphanumeric characters.

So, if you are not able to find the exact name of the Ransomware, which has infected your system, then go to id-ransomware, where you can upload the “Ransom note” file or any sample of encrypted file to identify the Ransomware name.

Identifying Ransomware
Identifying Ransomware

No More Ransomware: You can also visit no more ransomware to help identify the Ransomware, and also offers free decryption tools by various Ransomware families like Gand Crab, HiddenTear, TeslaCrypt and so on.

After identifying the ransomware name, the removal and decryption process may help you finding the right solution.

If you have already remove L16 Ransomware using scan and remove method by Spyhunter anti-malware, then you should proceed with recovering your L16 encrypted files.

Step2: Remove L16 Ransomware using System Restore

System Restore Procedure works most of the time if want to roll back your system status to a specific point of time. So, here the point which need to choose is the versions of your PC before L16 Ransomware infected your system. Most of the time, Windows OS creates a Restore Point, when we install any new application or driver. Also, you can create a system restore point manually.

System Restore will remove applications, drivers, or updates that you have installed to that point of time. They all will be rolled back to that point, however your personal data will not be affected. But in case, you should backup your important data you stored recently.

  1. On your taskbar, type “Recovery” in the search box, which will bring the results, click on “Recovery”;
  2. Next click on “Configure System Restore“;
    System Restore In Windows 10
    System Restore In Windows 10
  3. You will see “System properties” window open up, switch to “System Protection“;
  4. Next click on “System Restore” button, then click on “Next“;
    System Restore Process In Windows 10
    System Restore Process In Windows 10
  5. Now, you will see Automatic System Restore Points list or to view all restore points you can click “Show more Restore Points” in the bottom.
    Automatic Restore Points
    Choose Automatic Restore Points To Remove L16 Ransomware
  6. Now, click on the Restore point to which you want to choose, then click on “Scan for affected programs”; This will list you all the apps, drives and updates which will be removed after the restore.
    Scan For Affected programs
    Scan For Affected programs
  7. So, if you are sure with the changes, the click on “close” and then select Next > Finish.

What To Do If You Don’t see Any Restore Points?

Note: If your System Restore Feature is not enabled, then you may not see any Restore Points. So, you should enable the “System Protection” feature.

How To enable System Protection on Windows 10:

    • Select Recovery > Configure System Restore > Configure;
    • Check the radio button next to “Turn on system protection” is active or not.
    • If not then click on it and then click on Apply > OK.

If there is no Recovery points, then this method will not be helpful to you, So, either go for scan and remove method or you need to reset your Windows 10.

Step3: Reset Your PC to remove L16 Ransomware

Resetting your PC should be your last option, if all the above methods does not work for you. If you reset your PC then, all your applications, files and data will be cleared. It means your Windows 10 will act as new.  Windows 10 will reset itself to its factory default settings.

Also, you will not lose your license or product key which came along with the purchase or if it is genuine.

If you don’t want to lose your data, then first backup all your files to a secure place, either cloud backup, OneDrive, Google Drive or external SSD or USB drives.

However, Reset Your PC, does gives you an option to keep your files, but to ensure permanent removal of L16 Ransomware, you should chose Remove Everything. Or else you can try with “keep my files” and then reset your PC. After that to double check if the Ransomware is gone you should install an anti-virus program.

So, here how to reset your Windows 10:

  • In the search bar, on the Taskbar search for “Reset this PC, and click on it;
  • Choose “Get Started“.
  • Next, you will see two options to choose “Keep my Files” or “Remove Everything”.
    Reset this PC to Remove ReverseRat
    Reset this PC to Remove L16 Ransomware
  • Choose the appropriate one, and click on “Next“;
  • Now, follow the on-screen instructions to reset your PC;
  • Once your PC is reset, you can install the application which you need, transfer your files.
  • Now, run Windows Defender or Spyhunter 5 to check complete removal of L16 Ransomware.

How To Recover Files Encrypted With L16 Ransomware?

Step 1: Restore from Previous Versions Feature of Windows OS

Often some Ransomware are clever to delete the shadow volume copies and previous versions of the encrypted files. However, you should give a try looking out for the previous versions of the L16 encrypted file that can help you recover it. But, this option will only work for you if you have configured the “File History” option on your system.

  • Navigate to the folder or directory, where the L16 encrypted files are stored locally on your computer. Right-click on the L16 encrypted file and then select “Properties“.
  • Under the Properties window, switch to “Previous Versions” tab.
  • If you have any previous versions available for the file, then you will see the snapshots of the file. So select the one which is prior to the date of L16 attack.
    Recover L16 Ransomware files Using Previous Versions
    Recover L16 Ransomware files Using Previous Versions
  • Select the Restore To option to choose the specific location.
  • Click on the “Select folder” button to restore your files. Better to choose a different folder to keep the recovered file.

Step 2: Recover Files From OneDrive’s Version history Feature

If the above workaround does not work for you, then you can use the OneDrive’s file versioning feature called as Version History. This will only work if your system is synced with OneDrive backup.

OneDrive is the most easy way to keep your files on your PC to keep synced in the cloud. Files synced can also be accessed on mobile, Microsoft OneDrive online account and so on. It stores the older versions of the files for up to 30 days and also has a feature to store the deleted files, but for a limited time only.

The Restore OneDrive feature only works if you are subscribed for the Microsoft 365. 

If your OneDrive’s files have been encrypted by L16 Ransomware, then it gives you an option to restore the previous version of entire files synced with OneDrive. So, if your files have been encrypted with L16 Ransomware, then you may use the OneDrive’s Version history feature to restore files from its previous version.

  • Click on the OneDrive icon on your Taskbar;
  • Then click on “Help & Settings” > “View Online”;
    Recover L16 Ransomware files By Restoring OneDrive Folder
    Recover L16 Ransomware files By Restoring OneDrive Folder
  • If your are already signed on, the click on the “Settings” icon on top-right of the page;
  • Then choose “Option” > “Restore your OneDrive“;
    Recover L16 Ransomware files By Restore Your OneDrive
    Recover L16 Ransomware files By Restore Your OneDrive
  • Next, select a specific date from the drop-down list. OneDrive also helps you to choose a data if it has detected a ransomware attack automatically. However, if it does not recommend y0u a date, choose the one before the attack of L16 Ransomware.
  • Finally, click on “Restore“.

OneDrive Version History

If you don’t have the subscription for Microsoft 365, then you try by right-clicking on specific file from your OneDrive Folder, then choose “Version History“.

Recover L16 Ransomware files From OneDrive's Version History
Recover L16 Ransomware files From OneDrive’s Version History

If you are able to view the file and then you can download it and save at a safe location.


Step 3: Recover L16 Ransomware Encrypted Files using Online Decryption Tools

The Ransomware uses Encryption algorithms to encrypt the files which are often strong to break. In such a case you don’t have any option to recover them as you will be requiring the decryptor key to unlock them. Most of the ransomware authors, store the unique key to their remote server rather than on the host machine.

But there are many ransomware that have some flaws in their code or they often leave some loopholes. So, cyber security experts often research on them and create a decryptor tool online for free. Also, some ransomware threats often seen to be release their keys. So, we strongly advise you to keep a backup of your encrypted files to a separate drive along with Ransom note. So, that you can check online for any decryption tools in future.

Here, we have listed some of the best free online decryptor tools that can help you recover the files.

  • No More Ransom Project: no more ransomware project website not only help you to identify the Ransomware. But also contains the decryption tools that lets you search by the name and show you the  decryption tools available.
    L16 Ransomware Online Decryptor Tool
    L16 Ransomware Online Decryptor Tool
  • Emsisoft Decryptor Tool: Another online free decryptor tool, you can try out is Emsisoft that is developed by Emsisoft and Michael Gillespie. They have a team of ransomware experts that often keeps on creating decryptors for plenty of Ransomware. They also have instructions on how to use the decryptor tool.
    L16 Ransomware Online Decryptor Tool By Emsisoft
    L16 Ransomware Online Decryptor Tool By Emsisoft
  • Noransom Decryptor Tool By kaspersky: No Ransom is yet again a place where you can search for latest decryptors for Ransomware. To search, you can use the extension, ransomware name and ransom note.
    L16 Ransomware Online Decryptor Tool By Kaspersky
    L16 Ransomware Online Decryptor Tool By Kaspersky

Step 4: Use Data Recovery Software

Ransomware is one of the most successful threat campaign that uses encryption algorithm to encrypt user’s data with a unique key. Although, the possibility of recovery is stands less as the hackers store the key to their own server. But yet again, security experts never recommend paying Ransom, as there are chances that even after paying the Ransom, you may not get your files back.

Thus, it is better to remove the ransomware, and safe the encrypted files at a secure place, so that you have a chance of recover later on too. However, we still advice you to use STELLAR DATA RECOVERY PROFESSIONAL to recover your files.  The software recovers almost all file types that you may lose in various scenarios like emptied recycle bin, unexpected system shutdown, virus attack and System Crash down and so on.

  • Download and Install Stellar Data Recovery Professional For Free;
  • Select the type of data you want to recover or just select “All Data“;
    Recover L16 Ransomware files with Stellar Data Recovery professional
    Recover L16 Ransomware files with Stellar Data Recovery professional
  • Choose the location from where you want to recover your data, and also enable the “Deep scan” option and then click on “Scan“;
    Recover L16 Ransomware files with Stellar Data Recovery professional 2
    Recover L16 Ransomware files with Stellar Data Recovery professional 2
  • You can preview the files which can recover, filter them using File Types, Tree view or deleted list.
  • Finally, to recover, select the files you want to recover and click on “Recover“, choose the location to save them.
    Recover L16 Ransomware files Using Stellar Data recovery tool
    Recover L16 Ransomware files Using Stellar Data recovery tool
  • Do not choose the same location where files are encrypted.

How to Prevent Virus Attack Effectively

Privacy and security is the most crucial thing which can be compromised at any point of time. So, we should be stay vigilant to protect them. Specifically, to prevent Ransomware attacks in future you should follow the below tips:

  • Do not open/download email attachments from unknown sender. A phishing email can have various signs like grammatical errors, no/fake signature, requesting for some personal info, spoofed links and so on.
  • Have a reputable anti-malware protection turned on. Also don’t just rely on a free version.
  • Beware of the what you download from third-party sources. Don’t be hurry to just double-click to install any file.
  • Most importantly, backup your data on regular basis. If you can’t do it manually, then use services like OneDrive, Dropbox, Google Drive and also other cloud service for strong protection like pCloud.
  • Also, if you have been a victim of any Ransomware attack, then report the crime.

pCloud offers 10 GB of free cloud storage. It offers simple and secure backup options and is accessible to most of your devices. It is a real-time backup solution that will automatically save files to your specified folder with no limitation on file size or speed. By default, you can recover files in pCloud from up to 30 days, but you can extend that time up to 1-year.

Leave a Reply

Your email address will not be published.