Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker Ransomware Support and Help Topic


  • Please log in to reply
634 replies to this topic

#451 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:10:33 AM

Posted 31 May 2015 - 12:54 AM

 

the infection cannot cause anymore damage. The only thing rkcl.exe can do after encryption is poll 2 sites, blockchain, and the decryption server to check payment, and then send the keys. I do not trust any virus creator, but I do know that if you have already been infected by locker, running rkcl.exe will not cause further damage to the machine. I can also make a decryption utility, but i fear it will not help victims that deleted the virus, as you need the BTC address to associate which key is yours.

 

With all due respect c'mon you know better than that!

 

I understand rkcl.exe does the encryption. Have we verified with certainty that it won't update itself to encrypt other kinds of files? Or that it won't download more malware? Or for that matter won't make a good effort at erasing MBRs just for laughts?

 

I'll wait for someone that hasn't unleashed havoc to build a tool to unencrypt and run that on whatever files I haven't been able to recover (which thankfully won't be much).

 

Anything other than a complete restore from a known good backup means you're going to have to find a way to validate each and every file.

 

EDIT: Also I caught it before it finished encrypting everything and never got the ransom demand. I'm not unleashing it on the rest of my machine. I would be taking quite a gamble that this virus author is telling the truth and the unencryption will happen June 2nd. No thanks. What do we need here? Some guy in a giant squid head yelling "It's a trap"? Or if you prefer Trek to Wars "Fool me once"...


I got one of my files to unlock with a very quick and dirty block of code.  It's fairly straight forward.

 

*Edit* Make that all of them.  I didn't have many files that got hit, though.  There is hope!

 

I know you say it's quick and dirty, but would you mind sharing in source form?

 

 

"With all due respect", why come in here questioning Nathan?  I understand where you're coming from, but you must be uninformed.  Nathan has a lot of experience with disassembly, decompiling, and general analyses of ransomware; he has spent plenty of time manually deobfuscating heavily obfuscated binary files and has created several decryption utilities that were provided for free in the past.

 

I am willing to bet that when Nathan makes a statement regarding the mechanism of action of a ransomware variant, he does so after disassembling and/or decompiling the associated binary; that his statements result from the review of the [raw] code in question, rather than blind claims like your response to him infers.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


BC AdBot (Login to Remove)

 


m

#452 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 May 2015 - 12:55 AM

 

Thanx for info on cost.  That's quite a jump as first it was only going to be about $23 I think from reading posts here.


Np, I don't know why they think that such a jump would ever motivate someone to pay 200+ usd. Stupid lowlifes who are wasting a talent that could be used to help humanity, oh well.

 

 

I could have lost the following pictures had I not had my off site backups:

- Birth of my children

- Ultrasounds

- 1st birthday parties

- My wife and I had a joint 40th birthday themed costume party 

- All the airshows I've ever photographed (6000+ photos each on 2 occasions, many more with slightly less)

- Documentation of my current dogs growing up

- My previous dogs who've passed

- Our own wedding.

- Weddings I've photographed for other couples (as a gift, never paid).

 

I probably would pay $200+ to get that back....just not to SCUM!!!!!!!



#453 Solsund

Solsund

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:33 AM

Posted 31 May 2015 - 12:57 AM

 

I know you say it's quick and dirty, but would you mind sharing in source form?

 

 

Sure.  I just hacked this together in an hour or so.  I had one single directory get hit so I just dumped the files in with the executable and ran it.  It's just a standard windows form with a single button that runs things when you press it.

 

Take note it might not work for everything as instead of working out exactly how large the output buffer needed to be I just threw in a 10 meg block as it enough to cover the files I was using.  Seems I might have been able to use a CryptoStream as well.  This is the first time I've had to mess with any encryption code in .NET.

 

http://pastebin.com/pVzeTvWs

 

*Edit*

Btw, Key.txt was just a single line pulled from the database dump.  It was the line that matched up with the stuff found in the data.aa# files on my infected computer.


Edited by Solsund, 31 May 2015 - 01:01 AM.


#454 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 May 2015 - 01:01 AM

 

 

the infection cannot cause anymore damage. The only thing rkcl.exe can do after encryption is poll 2 sites, blockchain, and the decryption server to check payment, and then send the keys. I do not trust any virus creator, but I do know that if you have already been infected by locker, running rkcl.exe will not cause further damage to the machine. I can also make a decryption utility, but i fear it will not help victims that deleted the virus, as you need the BTC address to associate which key is yours.

 

With all due respect c'mon you know better than that!

 

I understand rkcl.exe does the encryption. Have we verified with certainty that it won't update itself to encrypt other kinds of files? Or that it won't download more malware? Or for that matter won't make a good effort at erasing MBRs just for laughts?

 

I'll wait for someone that hasn't unleashed havoc to build a tool to unencrypt and run that on whatever files I haven't been able to recover (which thankfully won't be much).

 

Anything other than a complete restore from a known good backup means you're going to have to find a way to validate each and every file.

 

EDIT: Also I caught it before it finished encrypting everything and never got the ransom demand. I'm not unleashing it on the rest of my machine. I would be taking quite a gamble that this virus author is telling the truth and the unencryption will happen June 2nd. No thanks. What do we need here? Some guy in a giant squid head yelling "It's a trap"? Or if you prefer Trek to Wars "Fool me once"...


I got one of my files to unlock with a very quick and dirty block of code.  It's fairly straight forward.

 

*Edit* Make that all of them.  I didn't have many files that got hit, though.  There is hope!

 

I know you say it's quick and dirty, but would you mind sharing in source form?

 

 

"With all due respect", why come in here questioning Nathan?  I understand where you're coming from, but you must be uninformed.  Nathan has a lot of experience with disassembly, decompiling, and general analyses of ransomware; he has spent plenty of time manually deobfuscating heavily obfuscated binary files and has created several decryption utilities that were provided for free in the past.

 

I am willing to bet that when Nathan makes a statement regarding the mechanism of action of a ransomware variant, he does so after disassembling and/or decompiling the associated binary; that his statements result from the review of the [raw] code in question, rather than blind claims like your response to him infers.

 

 

I meant no disrespect to Nathan, who I do not know personally and whose efforts I may yet profit from. I was not trying to claim he was making "blind claims" nor disparage him. I want that to be clear.

 

Regardless it is still bad advice to continue to run software that has been shown to be malicious. No one is superhuman and if he wants to correct me by stating that he's actually looked through ALL the code from rkcl.exe I'd be happy to stand corrected on that. It would be good to have that assurance from more than one person. Anyone can miss something in complex code. There have been cases of malicious bugs being introduced into the Linux kernel that were not picked up despite some incredible talent working on that code.

 

My point about running the malware if it hadn't completed it's encryption still stands. It is not a good idea. It will encrypt more of your files. You can't guarantee it will unencrypt them. I don't even know what the trigger is suppose to be on June 2nd for the decryption and I've seen no discussion of that.



#455 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 May 2015 - 01:06 AM

 

 

I know you say it's quick and dirty, but would you mind sharing in source form?

 

 

Sure.  I just hacked this together in an hour or so.  I had one single directory get hit so I just dumped the files in with the executable and ran it.  It's just a standard windows form with a single button that runs things when you press it.

 

Take note it might not work for everything as instead of working out exactly how large the output buffer needed to be I just threw in a 10 meg block as it enough to cover the files I was using.  Seems I might have been able to use a CryptoStream as well.  This is the first time I've had to mess with any encryption code in .NET.

 

http://pastebin.com/pVzeTvWs

 

*Edit*

Btw, Key.txt was just a single line pulled from the database dump.  It was the line that matched up with the stuff found in the data.aa# files on my infected computer.

 

 

Yep got as far as pulling out my key myself. Way to busy with paid work and trying to restore from backups to attempt to write code. (Not my area of expertise either, so I wouldn't turn it around anywhere near as quickly as you guys can. For starters I'd need to install .NET as I work with Java.).

 

I'm tucking away your code in case i get desperate.
 

Already deleted some of the files that I'd permanently lost as I didn't expect this development (Literally a handful of photo edits and other junk that I won't be crying over). I'll be leaving the rest in place now in the hope someone creates a full blown tool. If not your code is what I'll fall back on.

 

Much appreciated.


Edited by syousef, 31 May 2015 - 01:07 AM.


#456 White Hat Mike

White Hat Mike

  • Members
  • 312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:::1
  • Local time:10:33 AM

Posted 31 May 2015 - 01:19 AM

 

 

 

the infection cannot cause anymore damage. The only thing rkcl.exe can do after encryption is poll 2 sites, blockchain, and the decryption server to check payment, and then send the keys. I do not trust any virus creator, but I do know that if you have already been infected by locker, running rkcl.exe will not cause further damage to the machine. I can also make a decryption utility, but i fear it will not help victims that deleted the virus, as you need the BTC address to associate which key is yours.

 

With all due respect c'mon you know better than that!

 

I understand rkcl.exe does the encryption. Have we verified with certainty that it won't update itself to encrypt other kinds of files? Or that it won't download more malware? Or for that matter won't make a good effort at erasing MBRs just for laughts?

 

I'll wait for someone that hasn't unleashed havoc to build a tool to unencrypt and run that on whatever files I haven't been able to recover (which thankfully won't be much).

 

Anything other than a complete restore from a known good backup means you're going to have to find a way to validate each and every file.

 

EDIT: Also I caught it before it finished encrypting everything and never got the ransom demand. I'm not unleashing it on the rest of my machine. I would be taking quite a gamble that this virus author is telling the truth and the unencryption will happen June 2nd. No thanks. What do we need here? Some guy in a giant squid head yelling "It's a trap"? Or if you prefer Trek to Wars "Fool me once"...


I got one of my files to unlock with a very quick and dirty block of code.  It's fairly straight forward.

 

*Edit* Make that all of them.  I didn't have many files that got hit, though.  There is hope!

 

I know you say it's quick and dirty, but would you mind sharing in source form?

 

 

"With all due respect", why come in here questioning Nathan?  I understand where you're coming from, but you must be uninformed.  Nathan has a lot of experience with disassembly, decompiling, and general analyses of ransomware; he has spent plenty of time manually deobfuscating heavily obfuscated binary files and has created several decryption utilities that were provided for free in the past.

 

I am willing to bet that when Nathan makes a statement regarding the mechanism of action of a ransomware variant, he does so after disassembling and/or decompiling the associated binary; that his statements result from the review of the [raw] code in question, rather than blind claims like your response to him infers.

 

 

I meant no disrespect to Nathan, who I do not know personally and whose efforts I may yet profit from. I was not trying to claim he was making "blind claims" nor disparage him. I want that to be clear.

 

Regardless it is still bad advice to continue to run software that has been shown to be malicious. No one is superhuman and if he wants to correct me by stating that he's actually looked through ALL the code from rkcl.exe I'd be happy to stand corrected on that. It would be good to have that assurance from more than one person. Anyone can miss something in complex code. There have been cases of malicious bugs being introduced into the Linux kernel that were not picked up despite some incredible talent working on that code.

 

My point about running the malware if it hadn't completed it's encryption still stands. It is not a good idea. It will encrypt more of your files. You can't guarantee it will unencrypt them. I don't even know what the trigger is suppose to be on June 2nd for the decryption and I've seen no discussion of that.

 

 

How have you determined whether or not that the malware has completed encryption activities?  What about for users who have not, either due to it being performed during off-hours or simply lack of knowledge, halted the process(es) responsible for the file system encryption?  Based on past trends, as well as monitoring the malicious executable (and hooking API calls, or simply observing API calls over time), it does not appear that the executable that Nathan stated must be running/active performs any additional checks or that it has displayed further point-in-time enumeration techniques to further compromise the target device's file system.  I have been running the executable in question and monitoring it.  I have noticed nothing other than calls to the previously-stated domains (i.e. blockchains) to verify whether or not a payment has been submitted.

 

/endrant

 

I understand where you're coming from, though, for sure.  :)  You can't really take anything that is said by someone you don't know as fact, especially posts from members of a forum.

 

But we must make inferences based on the data that we have acquired and analyzed, as well as after reviewing and performing comparisons to historical data/code that has been acquired or observed that was crafted with a similar or equivalent end-goal.  Any advice that I or any other members provide should be taken as such--not immediately interpreted as fact.


Information Security Engineer | Penetration Tester | Forensic Analyst

CipherTechs.com


#457 stick_man

stick_man

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 31 May 2015 - 01:57 AM

 

Trying to track where this could have come from, since the laptop has not really been used in many months i looked back at what was installed and when. Only Canon Wireless printer software was installed after the above mention Minecraft till 02/03/2015 in which point the software listed below was installed.

 

 

 

I also have A Canon thing install: Canon MX410 series MP Drivers. However, I have absolutely no idea where it came from, nor I have any Canon devices.



#458 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:33 AM

Posted 31 May 2015 - 02:53 AM

If you do not want to be misinterpreted then I suggest not starting a conversation to a forum that your new to with "come on you should know better than that" :) I have been through every jump in the assembly that is possible after encryption, and I see no hidden gems. But what I post is only my opinions and findings, and can be followed or ignored as needed. Although I will have this tool done tonight, so there may be no reason to run it any longer (keep the files though as you will need your BTC address)


Have you performed a routine backup today?

#459 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 May 2015 - 03:27 AM

If you do not want to be misinterpreted then I suggest not starting a conversation to a forum that your new to with "come on you should know better than that" :) I have been through every jump in the assembly that is possible after encryption, and I see no hidden gems. But what I post is only my opinions and findings, and can be followed or ignored as needed. Although I will have this tool done tonight, so there may be no reason to run it any longer (keep the files though as you will need your BTC address)

 

Okay I'm happy to apologize for my poor choice of words since they've offended you and that wasn't the intent. Now that I have a good known copy of my most important files and taken what remains of my backups offline I will be the first to happily test your tool, and I thank you for working on one.

 

Nevertheless I stand by what I said: Telling people to continue to run malware in the hope that it will reverse the encryption because it "can't do anymore harm" is not a good idea. Some of us (myself included) have not run the virus to completion. It would continue to encrypt files, and there is no guarantee that come 2 June any of it will be restored.

 

Let's please not make this about ego. Whether I am new to this particular forum or not has nothing to do with it. I came here because this is where the discussion on this malware took root. I am not new to the internet, and despite my bone headed mistake, I'm not new to computer security basics. Neither do I profess to be an expert in the area as you have seen from the discussion above. I've been lucky enough to avoid having to deal with trojans for around a decade. Disassembling them is not something I'm interested in doing.

Once again, thanks for your work. I was not trying to disparage you.



#460 Kuldaniss

Kuldaniss

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Timisoara, Romania
  • Local time:05:33 PM

Posted 31 May 2015 - 03:30 AM

If you do not want to be misinterpreted then I suggest not starting a conversation to a forum that your new to with "come on you should know better than that" :) I have been through every jump in the assembly that is possible after encryption, and I see no hidden gems. But what I post is only my opinions and findings, and can be followed or ignored as needed. Although I will have this tool done tonight, so there may be no reason to run it any longer (keep the files though as you will need your BTC address)

Wow are you saying that soon we might be able to decrypt our files? That would be amazing !



#461 Comdark.Bubnix

Comdark.Bubnix

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:09:33 PM

Posted 31 May 2015 - 04:28 AM

If you do not want to be misinterpreted then I suggest not starting a conversation to a forum that your new to with "come on you should know better than that" :) I have been through every jump in the assembly that is possible after encryption, and I see no hidden gems. But what I post is only my opinions and findings, and can be followed or ignored as needed. Although I will have this tool done tonight, so there may be no reason to run it any longer (keep the files though as you will need your BTC address)

newbie have questions:

1. virus maker offer decrypt on 2 june,is it via online ? so victim must online at that time on his pc ?

2. is it possible to decrypt using your new tool with offline ? if possible,victims in my country prefer using your new tool with offline.

3. where we can find this btc address ?



#462 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 May 2015 - 04:54 AM

 

If you do not want to be misinterpreted then I suggest not starting a conversation to a forum that your new to with "come on you should know better than that" :) I have been through every jump in the assembly that is possible after encryption, and I see no hidden gems. But what I post is only my opinions and findings, and can be followed or ignored as needed. Although I will have this tool done tonight, so there may be no reason to run it any longer (keep the files though as you will need your BTC address)

newbie have questions:

1. virus maker offer decrypt on 2 june,is it via online ? so victim must online at that time on his pc ?

2. is it possible to decrypt using your new tool with offline ? if possible,victims in my country prefer using your new tool with offline.

3. where we can find this btc address ?

 

 

I don't know how Nathan's tool will work but the techniques mentioned here and Solund's code don't require online access, provided you have downloaded the database of private keys database mentioned above. These guys are doing very good work and very quickly. I'd say just be patient and in a few days (perhaps as soon as a day or two) we'll have an experimental version of the tool to play with.



#463 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:33 AM

Posted 31 May 2015 - 05:33 AM

How have you determined whether or not that the malware has completed encryption activities?  What about for users who have not, either due to it being performed during off-hours or simply lack of knowledge, halted the process(es) responsible for the file system encryption?  Based on past trends, as well as monitoring the malicious executable (and hooking API calls, or simply observing API calls over time), it does not appear that the executable that Nathan stated must be running/active performs any additional checks or that it has displayed further point-in-time enumeration techniques to further compromise the target device's file system.  I have been running the executable in question and monitoring it.  I have noticed nothing other than calls to the previously-stated domains (i.e. blockchains) to verify whether or not a payment has been submitted.

 

/endrant

 

I understand where you're coming from, though, for sure.   :)  You can't really take anything that is said by someone you don't know as fact, especially posts from members of a forum.

 

But we must make inferences based on the data that we have acquired and analyzed, as well as after reviewing and performing comparisons to historical data/code that has been acquired or observed that was crafted with a similar or equivalent end-goal.  Any advice that I or any other members provide should be taken as such--not immediately interpreted as fact.

 

 

>How have you determined whether or not that the malware has completed encryption activities?  

 

I never got a popup to pay the ransomware. I killed off the processes, deleted to recycling and run malware bytes before rushing off to work when I noticed them running and before I had noticed the damage done. I then went to work, came home, saw that the photos in a temp directory were unreadable and immediately suspected a crypto virus. Started looking into what exactly I had cleaned off and saw this, then restored the files and renamed so as to make sure I didn't inadvertantly start the executables.

 

Looking at the list of files generated by the malware it was clear that the virus had worked it's way through through external drives mounted at c:\mnt\X where X is a series of old drive letters now mounted in ntfs directories. The mounted drives are mix primary copy some backup copy. The virus did not make it's way to D:, E:, F:, G: or H:, which are internal drives with commonly used files. It was still working it's way through C: and in particular C:\mnt when I killed it.

 

It's nice to have a 2nd person confirm that the virus is just checking addresses. However as the virus hadn't completed the encryption phase for me, I'd be a bone head to run it just to see what it would do. I'd bet it'd continue encrypting files and pop up it's demand.

 

As an aside I've made 2 mistakes here:

1. Having my backup copies online for a virus to attack. I'm use to defending against disk corruption but this is the first time I've been hit with destructive malware. I have fixed this temporarily by pulling the drives and am going to organise my machine to make it permanent by reorganising them.

2. Using a single machine for everything. I need a dedicated file server with better locked down security that only presents backup copies to the rest of the network read only. it can then pull update these backups from a staging directory that it presents as writable. Fixing this will be my longer term goal. Doing it wrong could be very bad. (e.g. bad ntfs driver could trash my backups.

 

I am not your typical user. I have 6 internal 2TB drives and until the start of the week 8 external permanently connected drives (a mix of 3 and 4 TB). I have around 6TB of personal data (primary copy only), largely photos but also including receipts, financial stuff etc. Then perhaps another 6-8TB of downloads (primary copy) I've collected over the years including freeware, Linux distros, video tutorials (e.g. Khan Academy put out a complete archive that was 10s of Terrabytes), Astronomy data (about a TB of catalogs)  and the like. It's time to be less sloppy if I don't want to lose it!

 

I'm very lucky I didn't lose much more.


Edited by syousef, 31 May 2015 - 05:48 AM.


#464 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:33 AM

Posted 31 May 2015 - 08:07 AM

Locker Unlocker v.1.0.5.0
 
locker_unlock.png
 
brute.png

 

 

Tool Download:
Locker Unlocker v1.0.8.0
Locker Unlocker will decrypt the files infected by "Locker v*" (you can tell if you have Locker if the splash screen has a padlock image on it with a orange BTC logo). The whole key database is included in the decrypter for now, which makes the tool a larger size (a whopping 70megs), sorry about that, It was just to get the tool out ASAP and will change soon.


Useful information!
This Decrypter version will only work for victims who know their BitCoin Address that the infection gave them. A update will be coming soon which will allow victims without this address to decrypt their files. Please be patient.


 
The steps are as follows:

  • Enter BitCoin Address (Make sure there is no spaces or other characters in your entry! It must only be your BTC Address!)
  • Select your decryption method (List Decryption uses the list the virus created and is the most pratical and recommended method. Directory Decryption attempt to decrypt all files in a given directory. Be careful with this method as any non-encrypted files in the folder will be possibly corrupted. There is validation before decryption, but do not rely on it. If you use this method, copy the encrypted files to a new directory and select it.
  • Select where either your list is (List Decryption Method) or where your Directory is (Directory Decryption)

Extra Options

  • Remove Encrypted files - This option will prevent the tool from creating backups of the encrypted files next to the decrypted files. It is suggested you NOT enable this option the first run.
  • Create Log - This will create a log of all successfully decrypted files and failed files on the desktop.

Good Luck, and please, in the future run a backup system and use a prevention method to these type of infections like CryptoMonitor, CryptoPrevent, or Hitman Alert

 

 

EDIT 05/31/2015: Updated link with new version.

 

EDIT 6/1/2015: Updated link with new version. Added BruteForcing BTC Address

 

EDIT 6/2/2015: Updated link with new version. Added language encoding detection, and verification to Directory Method 


Edited by Nathan, 02 June 2015 - 08:39 AM.

Have you performed a routine backup today?

#465 victek

victek

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:33 AM

Posted 31 May 2015 - 08:18 AM

@ DecrypterFixer

 

Great that you've been able to create a decrypting tool!

 

By the way have you seen this announcement?

 

http://securityaffairs.co/wordpress/37346/cyber-crime/locker-ransomware-db-dump.html


Edited by victek, 31 May 2015 - 08:19 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users