LQTOREQ is a recent variant of the STOP/Djvu ransomware family — by infection volume, the most prolific consumer-targeting ransomware operation in existence. STOP/Djvu has run continuously since late 2018, releasing a new variant on a near-weekly schedule, each distinguished by a four- to seven-letter extension appended to encrypted files. LQTOREQ files carry the .lqtoreq extension, and the operators drop a ransom note named _readme.txt in every folder they touch.
This article walks through what LQTOREQ does technically — how it gets onto a machine, how it encrypts files using Salsa20 wrapped in an RSA-2048 key envelope, what artifacts it leaves on disk and in the registry, and how to remove it manually. It also covers the single most important question for any STOP/Djvu victim: were your files encrypted with an online key or an offline key? That answer determines whether free decryption is possible at all.
Disconnect this PC from the network now. Before you read any further, unplug the Ethernet cable and turn off Wi-Fi. LQTOREQ encrypts mapped network shares, attached USB drives, and any cloud-sync folders (OneDrive, Dropbox, Google Drive) it can reach. Every minute it stays online is more data lost. Do this even if encryption appears to have finished — the dropper often pulls in a second-stage info-stealer that is still actively exfiltrating data.
Threat Profile at a Glance
| LQTOREQ — Technical Specification | |
|---|---|
| Family | STOP / Djvu |
| Extension appended | .lqtoreq (e.g. report.docx → report.docx.lqtoreq) |
| Ransom note filename | _readme.txt — dropped in every directory containing encrypted files |
| Platform | Windows 7, 8, 10, 11 — 32-bit PE executable, runs on 64-bit hosts via WOW64 |
| Primary distribution | Cracked software, "free download" sites, fake KMS activators, key generators, game cheats, YouTube-described pirated tools |
| Encryption algorithm | Salsa20 stream cipher (symmetric, per-file key) wrapped with RSA-2048 (asymmetric) |
| Partial encryption | Yes — only the first ~150 KB of each file is encrypted (a speed optimization; large files remain mostly intact past the first chunk, but the header is destroyed) |
| Key type variants | Online key (unique per victim, held only on C2 — unrecoverable) or Offline key (hardcoded fallback, identical for all victims of this variant — potentially recoverable) |
| Ransom amount | $980 USD — reduced to $490 if paid within 72 hours (Bitcoin only) |
| Contact channel | Email addresses listed in _readme.txt (rotates per variant — current LQTOREQ samples reference addresses such as support@freshingmail.top and datarestorehelpyou@airmail.cc) |
| Persistence mechanism | Registry Run key under HKCU\...\Run, Scheduled Task "Time Trigger Task", and a self-copy in %LocalAppData%\<UUID>\ |
| Secondary payloads | Routinely drops RedLine and/or Vidar info-stealers — these exfiltrate browser passwords, crypto wallets, FTP creds, and Discord tokens before or during encryption |
| Shadow Copy deletion | Yes — calls vssadmin.exe delete shadows /all /quiet via elevated child process |
| Hosts file modification | Yes — appends ~200 entries pointing security-vendor domains (Microsoft, ESET, Malwarebytes, Symantec, Kaspersky) to 0.0.0.0 |
Why "LQTOREQ" Is Really a STOP/Djvu Problem
LQTOREQ is not an independent ransomware family — it is one extension in a long-running production line. The same actor (or small group of actors) has been releasing variants of STOP/Djvu since December 2018, each with a fresh extension chosen seemingly at random. Earlier extensions include .djvu, .djvuu, .tro, .rumba, .promo, .adobe, .boop, .kasp, .opqz, .coza — and dozens more. By extension count alone, STOP/Djvu accounts for the largest share of ransomware infections reported worldwide on platforms like ID Ransomware and BleepingComputer's support forum.
Operationally, all STOP/Djvu variants share the same codebase. They differ in three small ways:
- The file extension appended to encrypted files (e.g.
.lqtoreq) - The hardcoded RSA-2048 public key used for online-key mode
- The hardcoded Salsa20 offline key (the same for every victim of that one variant)
This matters because the decryption tooling situation depends on which variant you have. Emsisoft's STOP Decryptor can recover files from any STOP/Djvu variant — but only if the file was encrypted with the variant's offline key, AND a victim of that same variant has paid the ransom and shared the recovered key with the researcher community. The decryptor has unlocked ~150 of the ~700 known STOP/Djvu variants. New variants like LQTOREQ start with no recovered keys and are progressively added as keys become available.
How LQTOREQ Gets Onto a Machine
LQTOREQ infections almost always trace back to one specific user action: downloading and running pirated software. The STOP/Djvu operators do not run phishing campaigns, do not exploit unpatched Windows services, and do not use compromised RDP. They distribute through fake software-crack sites and "free" download portals that have been a fixture of search results for years.
The crack-site infection chain
A typical infection chain looks like this:
- User searches for "[software-name] crack", "[game] activator", "KMSpico Windows 11", or a similar term.
- One of the top search results is a blog-style page hosting a download link, often promising the activator in a password-protected ZIP file.
- The ZIP contains a "Setup.exe" or "Activator.exe" plus a README with the unzip password — passwording the archive is what defeats most antivirus engines, which cannot scan inside encrypted ZIPs.
- When the user unzips and runs the executable, three things happen nearly simultaneously: an info-stealer (RedLine or Vidar) is dropped to harvest browser-saved passwords, the LQTOREQ payload is installed, and encryption begins.
The info-stealer is the bigger long-term problem. The encrypted files are immediately visible, so they get attention. The stealer is silent and finishes its job in seconds. By the time you see the ransom note, every password saved in Chrome, Firefox, and Edge — every crypto wallet seed phrase, every Discord token, every FTP credential — has already been shipped to a remote server. Treat the infection as a full credential compromise: change every important password from a clean device, and invalidate every active session.
Technical Execution: What Happens on First Run
When the LQTOREQ executable runs, it performs a deterministic sequence of operations. Each step has been refined across hundreds of STOP/Djvu variants — the code is mature, defensive, and built specifically for evasion on consumer Windows installations.
Step 1 — Self-installation and persistence
The malware generates a random UUID-style folder name and copies itself into %LocalAppData%:
Registry Run key (per-user, no admin required):
Scheduled task (added via schtasks.exe):
Both persistence locations need to be removed during cleanup — the scheduled task is the more commonly overlooked one, and it will re-launch the binary on every hourly tick if left in place.
Step 2 — UAC bypass via the CMSTP technique
To execute privileged commands (like vssadmin delete shadows), LQTOREQ uses a well-known UAC bypass abusing CMSTPLUA COM elevation. It instantiates the auto-elevated CMSTPLUA COM object via CoCreateInstance, then uses its methods to execute arbitrary commands at high integrity without showing a UAC prompt. This trick has been documented since 2017 and has been used by dozens of malware families; Microsoft has chosen not to patch it because doing so would break legitimate Connection Manager profile installs.
Step 3 — Personal ID generation
The malware reads the MAC address of the primary network adapter, MD5-hashes it, and writes the resulting hex string to a fixed location — this becomes the victim's "Personal ID":
The last two characters of the Personal ID are the single most important diagnostic in any STOP/Djvu case. A trailing t1 means the C2 was reachable and a unique online key was issued — recovery without the criminals' cooperation is mathematically infeasible. A trailing t2 means the C2 was unreachable and the hardcoded offline key was used — recovery is possible if a researcher has obtained that variant's offline key.
Step 4 — Hosts file modification
To prevent security software from updating, contacting telemetry servers, or downloading new signatures, the malware appends a long block of entries to the Windows hosts file:
This is the reason that, immediately after infection, you may find you cannot reach any antivirus vendor's site or download a removal tool. The hosts file must be cleaned (covered in the removal steps below) before any browser-based recovery work will function.
Step 5 — Shadow Copy deletion
With elevation acquired via the CMSTP trick, the malware issues:
This is a near-universal step across modern ransomware. By the time you see the ransom note, shadow copies are gone.
How LQTOREQ Encrypts Files
LQTOREQ uses a hybrid encryption scheme: Salsa20 as the bulk-data cipher and RSA-2048 as the key-wrap algorithm. Salsa20 is a fast stream cipher; RSA-2048 ensures the per-file Salsa20 keys can only be unwrapped with the operators' private key.
The online vs. offline key fork
Here is the part that is unique to STOP/Djvu and that decides every recovery outcome:
| Mode | When used | Key uniqueness | Recovery without paying |
|---|---|---|---|
| Online key | C2 server reachable at first run — server issues a fresh RSA-2048 key pair per victim | Unique to each victim | Not possible — private key is on the server |
| Offline key | C2 unreachable (network down, sinkholed, infected before connecting) — malware falls back to a key pair hardcoded in the binary | Same for every victim of this variant | Possible — if a single victim's offline key is recovered, all victims of that variant can decrypt |
This design quirk is the reason Emsisoft's STOP Decryptor exists. When a victim pays the ransom, they receive the decryption key for their infection. If they were in offline-key mode, that single key decrypts every other offline-key victim of the same variant. Several of those keys have been shared with researchers over the years, populating the decryptor.
Per-file encryption process
For each targeted file, LQTOREQ executes the following:
- Open the file and read its first 150 KB.
- Generate (or retrieve from binary) a 32-byte Salsa20 key and an 8-byte nonce.
- Encrypt that 150 KB chunk in place using Salsa20.
- Append an end-of-file marker block containing the Salsa20 key wrapped with the victim's RSA-2048 public key, plus a flag indicating online vs offline mode and the variant's Personal ID.
- Rename the file by appending
.lqtoreqto the existing name (e.g.budget.xlsx→budget.xlsx.lqtoreq).
The 150 KB partial-encryption trick is a performance optimization — it lets the ransomware finish encrypting a victim's entire user-document tree in minutes rather than hours, while still rendering most file formats unopenable because the file header (containing magic bytes, indexes, and metadata) sits within those first 150 KB. For text files and small documents (under 150 KB), the entire file is encrypted.
What file types are targeted
The hardcoded extension list covers everything a typical home user would care about — documents, photos, music, videos, archives, and project files. Executables, DLLs, system files, and the contents of Windows\ and Program Files\ are explicitly skipped (encrypting them would brick the OS and prevent payment).
The ransom note
After encryption finishes, the malware drops a file named _readme.txt in every directory containing encrypted files, plus once on the desktop. The contents are nearly identical across STOP/Djvu variants:
Do not pay the ransom. Even on "successful" payments, STOP/Djvu operators frequently provide a partial or non-working decryptor, ghost the victim after receiving payment, or send a decryptor that only restores a fraction of files. Paying also funds the next round of variants. If you are in offline-key mode, a free decryptor exists or will eventually exist. If you are in online-key mode, paying still rarely results in full recovery — and shifts you onto a list of confirmed payers who are likely to be targeted again.
Artifacts LQTOREQ Leaves Behind
If you are doing a manual cleanup, these are the locations to check and clear in order. Every item below is created or modified by LQTOREQ during a typical infection:
2. Registry Run key (per user)
3. Scheduled task
4. Personal ID file
5. Modified hosts file
6. Ransom notes
7. Encrypted files
8. Possible secondary-payload artifacts (RedLine / Vidar)
Manual Removal: Step-by-Step
The order of operations here matters. Removing the malware does not decrypt your files — that is a separate process covered in the next section. Do every step here first to stop further damage and break persistence, then move to recovery.
Before you start: back up encrypted files to an external drive. Even though they look useless, those .lqtoreq files must be preserved exactly as they are. A future decryptor needs them. Copy the entire Documents, Pictures, Desktop, and any other personal folders to a USB drive before you touch anything else. Also save one copy of _readme.txt — its Personal ID is the diagnostic key.
Disconnect from the network
Unplug the Ethernet cable and disable Wi-Fi. This stops further encryption of mapped drives and cloud-sync folders, blocks the info-stealer from continuing to exfiltrate, and prevents the malware from reaching its C2 again. Leave it disconnected for the entire cleanup.
Boot into Safe Mode with Networking
Hold Shift while clicking Restart → Troubleshoot → Advanced Options → Startup Settings → Restart → press 5 for Safe Mode with Networking. Safe Mode prevents most third-party startup items — including LQTOREQ's persistence — from loading. Networking is needed to download removal tools; if you have a clean machine, download the tools there and bring them on USB instead.
Kill the malware process
Open Task Manager (Ctrl + Shift + Esc). Look in the Details tab for any process with a UUID-like or random-looking name running from %LocalAppData%. End the process tree. If you cannot identify the process by name, sort by CPU — during encryption the malware is the heaviest consumer.
Delete the scheduled task
Open Task Scheduler (Win + R → taskschd.msc). In the Task Scheduler Library (root) look for an entry named Time Trigger Task — right-click → Delete. Without this step, the malware will re-launch every hour even after you remove the binary.
Remove the registry Run key
Open Registry Editor (Win + R → regedit). Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. Look for a value named SysHelper (or any value pointing into %LocalAppData%\<UUID>\) — right-click → Delete. Also check HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce for the same pattern.
Delete the malware folder from LocalAppData
Open File Explorer → type %LocalAppData% in the address bar. Look for any folder with a UUID-style name (format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) that contains an executable you don't recognize. Delete the entire folder. There may be more than one — RedLine and Vidar use the same convention. When in doubt, remove any UUID-named folder created near the time of infection.
Restore the hosts file
The malware modified %WINDIR%\System32\drivers\etc\hosts to block security-vendor domains. Open the file in Notepad (running as Administrator) and remove any line that ends with a security/news/forum domain — Microsoft, ESET, Malwarebytes, Symantec, Kaspersky, Avast, AVG, BleepingComputer, etc. A clean default hosts file contains only commented lines and possibly a single 127.0.0.1 localhost entry. If unsure, replace the entire file with Microsoft's default hosts content (search for "default Windows hosts file").
Remove the Personal ID file
Delete the folder C:\SystemID\ (containing PersonalID.txt) — but only after you have copied its contents somewhere safe. The Personal ID is what determines whether free decryption is possible for your case; save it to a text file on a clean external drive before deletion.
Run Malwarebytes for a thorough sweep
Download Malwarebytes Anti-Malware (from a clean machine if your browser can't reach the site) and run a full Threat Scan. It will flag LQTOREQ and the secondary info-stealers if any remnants survived manual cleanup. Quarantine and remove everything. Do not skip this even if you are confident in manual steps — the info-stealer is small and easy to miss.
Run a second-opinion scanner
Run HitmanPro or Emsisoft Emergency Kit as a second pass. STOP/Djvu droppers sometimes side-load additional components that a single engine may miss. Both tools require no installation and run from a USB stick.
Reboot normally and verify
Restart the PC out of Safe Mode. Confirm that no new files are being encrypted, no ransom note reappears, Task Manager does not show the suspicious process, and the Run key / scheduled task do not regenerate. Run both scanners one more time post-reboot to confirm the system is clean before moving to data recovery.
Change every saved password — from a clean device
Assume the info-stealer captured every password your browsers had saved. From a clean phone or tablet, change passwords for: email, banking, social media, work accounts, cloud storage, password managers, and anything with payment info. Enable two-factor authentication everywhere it is offered. Revoke all active sessions in account-security panels. This step is not optional — it is the most important post-infection action you will take.
File Recovery Options
Removing the malware stops new damage. To get your files back, you have these options — in order of likelihood:
Option 1 — Restore from backup (best outcome)
If you have a recent backup on an external drive that was not connected during the infection, on a NAS that wasn't a mapped Windows share, on a versioned cloud service (Backblaze, Carbonite, Time Machine via SMB, OneDrive's Version History, Google Drive's "Restore previous versions"), restore from it after confirming the machine is clean. Restoring onto an active infection will re-encrypt the restored files immediately.
Option 2 — Emsisoft STOP Decryptor
Emsisoft maintains a free decryptor for STOP/Djvu at emsisoft.com/ransomware-decryption-tools/stop-djvu. The tool will:
- Identify your variant from a sample encrypted file
- Determine whether you were encrypted with an online or offline key (the
t1/t2suffix in your Personal ID) - If offline-key mode and Emsisoft has obtained that variant's offline key from a previous victim or research collaboration, decrypt all your files at no cost
- If online-key mode, report that decryption is not currently possible — your files will need to wait for a key leak or law-enforcement seizure of the operators' infrastructure
For a brand-new variant like LQTOREQ, the offline key may not yet be in Emsisoft's database. Run the tool monthly — they add keys as they obtain them.
Option 3 — ID Ransomware
Before any other tool, run your files through id-ransomware.malwarehunterteam.com. Upload a sample encrypted file and a copy of _readme.txt. The site will confirm the family (STOP/Djvu), the specific variant (LQTOREQ), and link you to the appropriate decryptor if one exists. It is the canonical first-stop diagnostic.
Option 4 — NoMoreRansom.org
The No More Ransom project — run by Europol, the Dutch National Police, and dozens of private-sector partners — aggregates decryptors for hundreds of ransomware families. Use the "Crypto Sheriff" tool there as a cross-check against Emsisoft.
Option 5 — Recuva or PhotoRec (long shot)
LQTOREQ encrypts files in place but does so by reading the file, computing the ciphertext, and writing it back. In some edge cases — particularly with photos and other large files in user folders — Windows briefly stages the operation through a temporary file, and the original allocation is freed without being overwritten. File-recovery tools like Recuva (free) and PhotoRec (free, more thorough) can occasionally recover those un-overwritten originals from the disk's free space. The success rate is low but non-zero — worth trying for irreplaceable personal photos before declaring loss.
Option 6 — Professional data recovery
For business-critical data with no working backup, a professional data-recovery lab can sometimes pull plaintext fragments from unallocated sectors. This is expensive ($500–$3,000+), not guaranteed, and only worth doing for data whose value clearly exceeds the cost.
Option 7 — Accept loss; preserve the encrypted files
If none of the above produce results, the right move is to preserve a backup copy of all the encrypted .lqtoreq files on an external drive, wipe the infected machine, and reinstall Windows fresh. Keep those encrypted files indefinitely. STOP/Djvu operators have been arrested before; law enforcement has seized servers before; Emsisoft adds offline keys to the decryptor years after the variant first appeared. Files unrecoverable today may be recoverable next year.
Prevention
STOP/Djvu specifically targets users who download pirated software. The single most effective prevention is to stop doing that. After that:
- Maintain offline backups using the 3-2-1 rule. Three copies, two media types, one offsite or disconnected. A backup connected to the PC at the moment of infection will be encrypted with everything else.
- Show file extensions in Windows Explorer. View → Show → File name extensions. Lets you spot disguised executables.
- Block executables from running in user-writable directories. A Software Restriction Policy or AppLocker rule preventing
.exeexecution from%LocalAppData%,%AppData%, and%Temp%would have stopped every STOP/Djvu infection in its tracks. This is a free Windows feature; most people simply never enable it. - Keep Windows Defender on, and updated. Defender recognizes most STOP/Djvu droppers within hours of their release. Disabling it to run a "crack" is what enables the infection.
- Use a password manager with a master password, not browser-saved passwords. Browser-saved passwords are the first thing RedLine and Vidar exfiltrate. A separate, encrypted password manager that requires its own master password is dramatically more resistant.
- Enable two-factor authentication on email, banking, and cloud accounts. Stolen passwords are useless to attackers if there's a second factor blocking login.
- Buy your software. The combined cost of every "free" version of Photoshop, Office, and Windows that someone might pirate over a lifetime is less than one professional data-recovery attempt — and orders of magnitude less than the value of the data lost to a single ransomware infection.
Our 90-Day Warranty covers every ransomware removal. If the same infection returns within 90 days of our service — or any component we removed re-appears — we come back and clear it at no charge. That guarantee is in writing on every invoice.
Bring Your Device to Computer Repair Roswell
STOP/Djvu cleanup is one of the more demanding jobs we do — not because the malware is hard to remove (it is not), but because the recovery path requires careful triage: identifying the exact variant, determining the key mode, preserving the encrypted files for future decryption, hunting down the info-stealer that came along with it, and helping the customer rotate every credential that was on the machine.
If you are looking at .lqtoreq files right now, do four things before you bring the machine in: power it off, do not connect any USB drives to it, write down any passwords or accounts you used on it, and call us. We will handle the rest.
Our shop is in Roswell and serves all of North Atlanta — Alpharetta, Sandy Springs, Marietta, Johns Creek, Milton, Dunwoody, and beyond. Walk-ins welcome, or submit a repair request below and we'll respond within the hour.
Ransomware on Your PC? Don't Panic.
Our certified technicians handle STOP/Djvu and other ransomware removals every week. Free diagnostic. No fix, no fee.