How to remove Ldhy ransomware

How to remove Ldhy ransomware

Ldhy ransomware is file-encrypting malware that targets personal files. The malware is part of the Djvu/STOP ransomware family, operated by a group of cybercriminals who release new ransomware versions on a regular basis. It’s considered to be very dangerous malware because file recovery is not always possible.



The ransomware will start encrypting files as soon as it’s initiated. Unfortunately, it targets all personal files, including photos, videos, and documents. Encrypted files will have .ldhy added to them. For example, an encrypted 1.txt file would become 1.txt.ldhy if encrypted. These files will not be openable unless they’re first put through a decryptor.

When the ransomware is done with file encryption, it will drop a _readme.txt ransom note. The note is more or less the same as the one dropped by all other versions from this malware family. The note explains that users can get a decryptor if they agree to pay $999 for it. There’s supposedly a 50% discount for users who make contact with the malware operators within the first 72 hours. Malicious actors also promise to decrypt one file for free as long as it does not contain any important information.

Paying the ransom or even contacting the cybercriminals is not recommended. Users should keep in mind that they are dealing with malicious actors, and there’s nothing to force them to keep their end of the deal. Many users have paid in the past only to not receive anything in return.

Here is the full _readme.txt ransom note:


Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:

Price of private key and decrypt software is $999.
Discount 50% available if you contact us first 72 hours, that’s price for you is $499.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

If users have a backup, they can safely connect to it as soon as they remove Ldhy ransomware from their computers. It’s strongly recommended that users use anti-malware software because it’s a very serious infection. Once it no longer comes up in scans, it’s safe to connect to a backup. Unfortunately, removing the ransomware will not restore files. To recover files, users need to have either a backup or a decryptor.

Besides a backup, a decryptor is the only way to recover files. So if users do not have a backup, waiting for a free Ldhy ransomware decryptor to be released is the only option. However, when, or even if, a Ldhy ransomware decryptor will be released is not certain.

How do malicious actors distribute Ldhy ransomware?

Most ransomware that targets random users is distributed via email attachments, torrents, and malicious ads/links. If users engage in risky online behavior (e.g. open email attachments without double-checking anything or use torrents to pirate copyrighted content), they are significantly more likely to encounter malware and infect their computers. Developing better habits and learning the most common distribution methods is one of the best ways to avoid malware.

Malicious software is very commonly found in torrents, especially in torrents for popular entertainment content (e.g. movies, TV series, and video games). If users do not know how to recognize malicious torrents, infection is very easy. Many torrent sites are poorly moderated, which allows malicious actors to upload torrents with malware. Pirating copyrighted content is discouraged in general because it’s content theft, but using torrents is also dangerous.

Email attachments are also a common way malware is distributed. Users whose email addresses have been leaked are the usual targets. The emails are often made to look like parcel delivery notifications or order confirmations, and senders claim that an important document is attached. Senders usually claim that these documents need to be urgently reviewed, which creates a sense of urgency and pressures users to open the attachments. If users do, they infect their computers.

In many cases, these emails are easy to recognize. First of all, they contain grammar and spelling mistakes that you would not normally see in emails sent by legitimate senders. Another sign includes the sender using generic words like User, Member, Customer, etc., to address users. Legitimate senders address the recipient by name to make the email seem more personal but malicious emails use generic words. This is largely to do with the fact that the emails target many users at the same time.

Some malicious emails can be significantly more sophisticated, especially when they target someone specific. This is why it’s important to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

How to remove Ldhy ransomware

When it comes to removing ransomware, anti-malware software must be used. Ransomware is a very complex infection that should not be removed manually unless users know exactly what they’re doing. Removing it incorrectly could lead to additional damage. A good anti-malware program is recommended to delete Ldhy ransomware, and when it no longer comes up in scans, users can connect to their backups and start recovering their data. If the ransomware is still present when users connect to their backup, the backed-up files would become encrypted as well.

If users do not have a backup, their options are very limited. The only option left is to wait for a free Ldhy ransomware decryptor to be released. However, free decryptors for the Djvu/STOP ransomware family are difficult to develop. Nonetheless, users should back up their encrypted files and occasionally check NoMoreRansom for a decryptor.

Ldhy ransomware is also detected as:

  • Win32:BotX-gen [Trj] by Avast/AVG
  • Trojan.GenericKD.71532783 (B) by Emsisoft
  • A Variant Of Win32/GenKryptik.GTMJ by ESET
  • HEUR:Trojan.Win32.Injuke.gen by Kaspersky
  • Trojan.MalPack.GS by Malwarebytes
  • Ransom:Win32/StopCrypt.SHZ!MTB by Microsoft
  • Trojan.GenericKD.71532783 by BitDefender
  • GenericRXWN-MJ!DAED93996432 by McAfee

Site Disclaimer is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.

The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.

Leave a comment

Your email address will not be published.