Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker Ransomware Support and Help Topic


  • Please log in to reply
636 replies to this topic

#466 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:18 PM

Posted 31 May 2015 - 08:07 AM

Locker Unlocker v.1.0.5.0
 
locker_unlock.png
 
brute.png

 

 

Tool Download:
Locker Unlocker v1.0.8.0
Locker Unlocker will decrypt the files infected by "Locker v*" (you can tell if you have Locker if the splash screen has a padlock image on it with a orange BTC logo). The whole key database is included in the decrypter for now, which makes the tool a larger size (a whopping 70megs), sorry about that, It was just to get the tool out ASAP and will change soon.


Useful information!
This Decrypter version will only work for victims who know their BitCoin Address that the infection gave them. A update will be coming soon which will allow victims without this address to decrypt their files. Please be patient.


 
The steps are as follows:

  • Enter BitCoin Address (Make sure there is no spaces or other characters in your entry! It must only be your BTC Address!)
  • Select your decryption method (List Decryption uses the list the virus created and is the most pratical and recommended method. Directory Decryption attempt to decrypt all files in a given directory. Be careful with this method as any non-encrypted files in the folder will be possibly corrupted. There is validation before decryption, but do not rely on it. If you use this method, copy the encrypted files to a new directory and select it.
  • Select where either your list is (List Decryption Method) or where your Directory is (Directory Decryption)

Extra Options

  • Remove Encrypted files - This option will prevent the tool from creating backups of the encrypted files next to the decrypted files. It is suggested you NOT enable this option the first run.
  • Create Log - This will create a log of all successfully decrypted files and failed files on the desktop.

Good Luck, and please, in the future run a backup system and use a prevention method to these type of infections like CryptoMonitor, CryptoPrevent, or Hitman Alert

 

 

EDIT 05/31/2015: Updated link with new version.

 

EDIT 6/1/2015: Updated link with new version. Added BruteForcing BTC Address

 

EDIT 6/2/2015: Updated link with new version. Added language encoding detection, and verification to Directory Method 


Edited by Nathan, 02 June 2015 - 08:39 AM.

Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


#467 victek

victek

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:18 PM

Posted 31 May 2015 - 08:18 AM

@ DecrypterFixer

 

Great that you've been able to create a decrypting tool!

 

By the way have you seen this announcement?

 

http://securityaffairs.co/wordpress/37346/cyber-crime/locker-ransomware-db-dump.html


Edited by victek, 31 May 2015 - 08:19 AM.


#468 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 46,366 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:18 PM

Posted 31 May 2015 - 08:39 AM

We have a discussion topic about that announcement here..."Locker" Ransomware Author Allegedly Releases Database of Private Keys
.
.
Microsoft MVP - Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#469 Vladelos

Vladelos

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 31 May 2015 - 08:41 AM

Looks like the program doesn't work me. I don't get it.

I use they Payment Address, it allows me to go to the next Step, I choose File Location, choose a file and press Start but after that I get this http://imgur.com/7oewZ2D,QREEJ1F



#470 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 31 May 2015 - 08:42 AM

Thank you Nathan. I did a test on a copy of 43 files in my tmp directory. 3 failed. Would it do you any good for me to upload these?

 

--- Locker Decryption Report _ DecrypterFixer ---
 
Total Files Processed: 43
Total Files Decrypted: 40
Total Time Elapsed: 0:0:8


#471 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:18 PM

Posted 31 May 2015 - 08:50 AM

Were the other 40 files decrypted properly?

#472 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 31 May 2015 - 09:12 AM

Were the other 40 files decrypted properly?

 

Yes and I have had success with actual lost files now too. (Walter Lewin Physics lectures, no longer available on MIT site).

 

I haven't been able to get list decryption to work. But folder/directory definitely does.

 

There's also some improvement to be made to the interface. I have to keep restarting. 

 

Nathan has done a fantastically great job with a very fast turnaround. These are minor things he can improve (though required for large scale practical use). The real work has been done though.



#473 johnnie_walker

johnnie_walker

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 31 May 2015 - 09:29 AM

Nathan...... i just wanna say a thousand thanks to you if you read this.......i wish i can be like u....you're so legendary for me......with your software i save my 15gb jpg files!!! although a few only error...this is just a winning situation for me....if you play dota2 pm me i will give you some of my set to you as an appreciation....and sorry for my bad english....



#474 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 31 May 2015 - 09:37 AM

Nathan...... i just wanna say a thousand thanks to you if you read this.......i wish i can be like u....you're so legendary for me......with your software i save my 15gb jpg files!!! although a few only error...this is just a winning situation for me....if you play dota2 pm me i will give you some of my set to you as an appreciation....and sorry for my bad english....

 

Did you just run it on the entire directory? Or were you able to use the list of files option? I haven't been able to get that to work and since i've done partial recovery it's the only one that makes practical sense for me as that is what I have - a list of files I haven't been able to restore.



#475 sveed

sveed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 31 May 2015 - 09:45 AM

First of all, Thank you Nathan and many others envolved in help us fight this evil nasty thing.

 

Well i had my computer infected and some files encrypted with this ransom locker. I have downloaded and installed the Locker Unlocker but it seems to work only when i choose to run on directory decryption. So far i have edit the list of files and removed a few of unecessary files that were there and left just the really important files i have to restore, but it didn't work as well. I hope this bug fixed in future version because there are so many files encrypted and the directory method is not efficient in such case. 

 

Anyway, thank you very much for your efforts.



#476 evil-doer

evil-doer

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:18 PM

Posted 31 May 2015 - 09:56 AM

So I just ran the program in file list mode, since I did not delete the data files that were created. (figured they may be important for something like this). And after hitting start, immediately something popped up that said successful or something? But now its sitting there with the start button "greyed out" and a wait animation circle spinning, and it says status idle.

 

Also says encrypted files found: 0   files decrypted:0

 

And there is no log.


Edited by evil-doer, 31 May 2015 - 09:58 AM.


#477 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 31 May 2015 - 09:57 AM

I'm finding other things are decrypting properly.

 

Unless I find other files that can't be decrypted I'm going to guess that the files in my temp directory that wouldn't decrypt were corrupt to begin with. I can't be sure so Nathan if you'd like a copy of these files let me know.

 

I need to get to bed. I can't be a zombie at work 2 weeks in a row.



#478 jeyegz

jeyegz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 31 May 2015 - 10:04 AM

Hello nathan, How can I make a program run by looking at the list that is encrypted?

#479 syousef

syousef

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 31 May 2015 - 10:07 AM

I don't think list mode is working. I haven't seen anyone say they've had it work.

 

Despite Nathan's warning a few people have gone ahead and pointed it at a directory with a mixture of encrypted and non-encrypted files. I think it's safer to wait for him to release a version with it fixed.

 

Nathan's response has been very very fast. Let's give him some time.



#480 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:18 PM

Posted 31 May 2015 - 10:45 AM

Locker Unlocker Update:

 

The list mode now works correctly, and the screen freezing or failing has been fixed.

 

The application was freezing from files with a few chars in other langs (like ñ) . This is now detected and will let you know at the end that their may be some files that need to be renamed.

 

You should be able to run the decrypter in list mode successfully.

 

Good luck.


Have you performed a routine backup today?




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users