Locker Ransomware Support and Help Topic

This is the support topic for the Locker Ransomware. The Locker ransomware has a very large install base that has affected many people globally.

There is a detailed guide on Locker, how it works, and what you should do if you are infected at the below link:

Locker Ransomware Information Guide and FAQ

 
 

Summary

The Locker ransomware is a computer infection that silently runs on a victim's computer until May 25 Midnight local time at which point it became active. Once active, it will begin to encrypt the data files on the computer with what appears to be RSA encryption. When encrypting the data files it will not change the extension of the file. Therefore, the only way to determine if the file is encrypted is by trying to open it and being told that the file is corrupt or not usable.

After the Locker ransomware encrypts your data it will delete your shadow volume copies and then display the Locker interface. This interface will be titled Locker and then a random version number. This version number does not appear to have any significance. Some example titles are Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. This Locker screen will give you information on how to pay the ransom, your unique bitcoin address to send the ransom to, a list of encrypted files, and a page to check the status of your payment.

 

Main Locker screen

It should be noted that this infection only clears the Shadow Volume Copies for the C:\ drive. Therefore, if you store data on other drives, you can use the Shadow Volume Copies to restore your data. There are also reports that the infection is not always able to delete any shadow volume copies, so to be safe it is advised that you at least try to restore your files using Shadow Explorer as described in the link below:
 

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow

The ransomware will also have a scary warning at the bottom of the Locker interface that states:
 

Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!

Please do not be concerned about this message. This is just a method for them to scare you into paying the ransom.

If you do decide to pay the ransom, which should be avoided if at all possible, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.






 

Technical Information

The exact process as to how the Locker ransomware is installed is currently unknown. What we do know is that there are a series of Windows services that are used to install Locker on the computer and encrypt the files. At some point a dropper will be installed in the C:\Windows\System32 or C:\Windows\Syswow64 and uses a random file name such as twitslabiasends.exe. This file will be installed as a service and when started will create the Steg service in C:\ProgramData\Steg\steg.exe. The steg service will then install Tor in C:\ProgramData\Tor and create another called service called LDR. The LDR service is associated with the C:\ProgramData\rkcl\ldr.exe and will ultimately launch the rkcl.exe program which displays the Locker interface.

The TOR client is used to communicate with the TOR Command & Control server located at jmslfo4unv4qqdk3.onion.

When data files are encrypted, the known file types it targets include :
 

3fr,accdb,ai,arw,bay,cdr,cer,cr2,crt,crw,dbf,dcr,der,dng,doc,docm,docx,dwg,dxf,dxg,eps,erf,indd,jpe,jpg,kdc,mdb,mdf,mef,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pef,pem,pfx,ppt,pptm,pptx,psd,pst,ptx,r3d,raf,raw,rtf,rw2,rwl,srf,srw,wb2,wpd,wps,xlk,xls,xlsb,xlsm,xlsx

These files will be encrypted, but they will not have their extensions changed. As more extensions are determined, we will add them to the list.

Finally the installation will also delete all Shadow Volume Copies so that you are unable to use them to restore your files. The command used to delete the shadow volume copies is:
 

vssadmin.exe delete shadows /for=C: /all /quiet

During the install process, Locker will check if the computer is a VirtualBox or Vmware virtual machine and terminate if detected. It will also search for the following processes and if they are found, terminate the installation process:
 

wireshark,fiddler,netmon,procexp,processhacker,anvir,cain,nwinvestigatorpe,uninstalltool,regshot,installwatch,inctrl5,installspy,systracer,whatchanged,trackwinstall

At this point, the Locker ransomware will only target Shadow Volume Copies on the C:\ drive. So if there are Shadow Volume Copies present on other drives then it may be possible to use them to restore your files. Furthermore, it is not uncommon for these types of infections to sometimes not be able to properly delete Shadow Volume Copies, so it is always wise to try and restore from them. For information on how to restore via Shadow Volume Copies, please see this url:
 

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow

Finally, while rkcl.exe is running it will continuously poll www.blockchain.info to see if a payment has been made. When it confirms that a payment was made it will download the private decryption key and save it in the C:\ProgramData\rkcl\priv.key file and then decrypt your files.

Below is the list of data files that are created by Locker and stored in C:\ProgramData\rkcl\:


data.aa0 - This file contains a list of the encrypted files.

data.aa1 - Unknown purpose

data.aa6 - The victim's unique bitcoin address

data.aa7 - An RSA key similar to:
 

<RSAKeyValue><Modulus>rvSUBZItCXDmeBBu01Imy811u41pOSTRDn9+6FpsEvXXfoBrcLgBd5ommgeT5jFRmY1/4vvsd+uXTUOG9FPBtbx1ySB9cv6/+5dU8v4SZTFIkCBIb5nXvYNzmm/lBB5OXOr6B8dkjyEr94LvUUg4B4XyFRjjjoXSUXX6ND0vbt1knN6/mBSIfkvv7XTlS5IBmbxB149t79mFcr9nu1tS9edI6s+sIUB14jFumf5xob1YG5UXOSntBDgkuIso+JXrXvB1ze4Bc7Ec1711Bmy7rfXScxpxXFb7rByZukBN5IomrY+9rTpyC4Df+pvJz/osBS0kSBS+BvIdETT/nKmIYm==<Modulus><Exponent>ImIB</Exponent></RSAKeyValue>

data.aa8 - Contains the version number for the Locker graphical interface.

data.aa9 - The date the ransomware became active

data.aa11 - Unknown purpose

data.aa12 - Unknown purpose

priv.key - This file contains the private decryption key that can be used to decrypt your files. It only appears after you pay the ransom.


Below are the images of the Locker Ransomware interface:

Information Screen

Payment Screen

Files screen

Status screen

Edited by Grinler, 28 May 2015 - 08:54 AM.

Hello,
I've been infected with this thing and for the past two hours i've been searching for help but with no good luck.
It infected a lot of .jpg files and only one .docx file.
For the infected files it seems that the extension hasn't been modified.
 
Here's screenshots with the ransomware.. 
 

 

 
 
 
Is there a possible way to recover my files?.. It says that there's about 4585 of them are infected.
I have not removed or modified the malware yet.

I've opened task manager and went to the process location
Here's what i found:

I've Opened the data.% files with notepad and here's what i found:

 

data.aa0 listed all my infected files.

data.aa1 blank.

data.aa6 the bitcoin payment address key :12E6vVFawrVK8Gd7Rk3whQqVodhGvuTHgg

data.aa7 

 

<RSAKeyValue><Modulus>rhMUIZAtCWDQeIIu01AQy813u41pOSTRDn9+6FpsEHwWfoIrcLgBd2oqqgeT2jFRQY3/4hvsd+uWTUOG9FPBtbx3yMI9ch6/+5dU8H4mZTFakCiab5nXvYNzqQ/lIB2OwOr6i8dkjyEr94LHUUg4i4XyFRjjjoWmUwW6ND0Hbt3knN6/QiSafkvv7WTlM2aIQbxi349t79QFcr9nu3tS9eda6s+saUI34jFuQf2xob1YG2UXOMntBDgkuaso+JXrWhi1ze4ic7Ec1731IQy7rfXMcxpxWFb7rIyZukBN5aoQrY+9rTpyC4Df+phJz/osBS0kSBm+ivadETT/nKQAYQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

data.aa8 simply listed:

 

1

7

data.aa9 listed the date and time when my "key" expires.

data.aa11 blank.

Edited by GangXtaZz, 24 May 2015 - 08:36 PM.

I found a way of partially decrypting one of my photos using TORRENTUNLOCKER and an original uncrypted file.

Since my files weren't renamed to file.encrypted, i manually renamed one of my files to .encrypted and tried decrypting with TORRENTUNLOCKER and it actually worked!

But it seems that the file has been partialy damaged, the quality is compromised.. any help?

Edited by GangXtaZz, 24 May 2015 - 07:36 PM.

Update: apparently this works only for the file that you originally get the decryption key.. i think the decryption key is not the same for all crypted files

Also, the quality is compromised, i hope there is a better method..

Edited by GangXtaZz, 24 May 2015 - 07:58 PM.

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables may be found:
%Temp%
C:\<random>\<random>.exe
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

I have submitted an ecrypted file and i've also sent an archive with all malware data files i could find.

I have also uploaded it here: http://www57.zippyshare.com/v/NQQWJP2G/file.html

I've also scaned with FRST and uploaded the files:

 

Addition :http://www7.zippyshare.com/v/49v0Iq3g/file.html

 

FRST: http://www7.zippyshare.com/v/YsIZNTyQ/file.html

Ok...just be patient and one of our crypto malware experts will reply here as soon as they can.

I've also found some registry entries related to rkcl.exe / ldr.exe and the location of the malware.

taking a look

It is looking like RSA though, but ill need to confirm.

Having a hard time getting this to launch, which is making debugging it nearly impossible with the Confuserex protection it has. I think these EXE's may be left over, and not the actual infector. Going to look more into tomorrow.

Hey there. So, I've got ransomware. How do I get rid of it, or decrypt my files or something? Will I still be able to eventually access my files if the timer runs out? I'm going out of town tomorrow, and I won't be back until the night of the 28th.


Here's the bitcoin address for easy copy/paste: 13Zpt3oedE2vFEbno2dYd9KHaPQpD8ZFKs

Here's the data files of the program with the executable, and an encrypted photo along with an otherwise completely identical unmolested one: hxxp://www47.zippyshare.com/v/sD8FMabO/file.html[/url]

Edited by Orange Blossom, 25 May 2015 - 05:50 AM.
Deactivate link to protect membership. ~ OB

Hi. As of yesterday, I found out I have been infected with some kind of ransomware. I spent all night trying to find a solution but nothing bare fruit... I discovered Fireeye and Fox-It's joint solution "decryptolocker" but mine seems to be a newer version, so that site says "The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."
 

 

My important files and decade old important photos have rendered useless and it says I have 59 hours to pay their ransom. Here is a screenshot of the program. I didn't come across this one on the internet. Is this a new one or is there any way I can obtain a decryption key?

It says my files has been encrypted with a 2048-bit RSA key.
 

 

 

 

Hi guys, I recently got infected with the locker 3.26 virus which is like cryptolocker where only my documents and images have been locked (or corrupted?). The virus has been deleted off of my computer now but those files are still not opening. When opening images i get the error "Windows photo viewer cant open this picture because the file appears to be damage, corrupted or is too large" and for word documents I get the error "We're sorry. We can't open ______ because we found a problem with its contents" I have windows 8.1. The screen that popped up when i got infected was the same as the following just the number was 3.26 instead of 5.52

 

Any help will be greatly appreciated as these files are extremely important to me especially the photos.

 

Thanks