Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker ransomware hides until midnight on May 25th and then encrypts your data


  • Please log in to reply
78 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,300 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:02 AM

Posted 25 May 2015 - 01:42 PM

A new ransomware called Locker has been discovered that once installed lay dormant until midnight local time on May 25th when it would activate and encrypt your data files. Once your files were encrypted it would demand .1 bitcoins in order to decrypt your files. If payment was not made within 72 hours, the ransom price would then increase to 1 bitcoin. This ransomware is currently widespread with global targeting.

 

locker.jpg
Main Locker screen



Locker appears to be installed via a dropper that creates a daisy-chain installation of various Windows services that ultimately launches the Locker screen. The main dropper will be installed in C:\Windows\Syswow64 as a random name such as twitslabiasends.exe. This file will then create the Steg service that uses the C:\ProgramData\Steg\steg.exe executable. This executable will then install Tor into C:\ProgramData\Tor and create another called service called LDR. The LDR service is associated with the C:\ProgramData\rkcl\ldr.exe and will ultimately launch the rkcl.exe program which displays the Locker interface. Finally the installation will also delete all Shadow Volume Copies so that you are unable to use them to restore your files. The command used to delete the shadow volume copies is:
 
vssadmin.exe delete shadows /for=C: /all /quiet
The main screen for the Locker ransomware will include a version number. This version number appears to be random with titles such as Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. The Locker screen is broken up into 4 different sections labeled Information, Payment, Files, and Status. The Information screen will display the ransom note and information on what has happened to the victim's data. The Payment screen will display the victims unique bitcoin address and information on how to make payment. The Files screen will load the list of files that have been encrypted and the Status screen will display payment status information. Screenshots of the Payment and Status screen can be seen below.

 

payment-tab.jpg
Locker Payment Page



status-page.jpg
Locker Status Page



In the C:\ProgramData\rkcl folder there will be various files created. These files are:
  • data.aa0 - This file contains a list of the encrypted files.
  • data.aa1 - Unknown purpose
  • data.aa6 - The victim's unique bitcoin address
  • data.aa7 - An RSA key similar to:

    <RSAKeyValue><Modulus>rvSUBZItCXDmeBBu01Imy811u41pOSTRDn9+6FpsEvXXfoBrcLgBd5ommgeT5jFRmY1/4vvsd+uXTUOG9FPBtbx1ySB9cv6/+5dU8v4SZTFIkCBIb5nXvYNzmm/lBB5OXOr6B8dkjyEr94LvUUg4B4XyFRjjjoXSUXX6ND0vbt1knN6/mBSIfkvv7XTlS5IBmbxB149t79mFcr9nu1tS9edI6s+sIUB14jFumf5xob1YG5UXOSntBDgkuIso+JXrXvB1ze4Bc7Ec1711Bmy7rfXScxpxXFb7rByZukBN5IomrY+9rTpyC4Df+pvJz/osBS0kSBS+BvIdETT/nKmIYm==<MSodulus><Exponent>ImIB</Exponent></RSAKeyValue>

  • data.aa9 - Unknown purpose
  • data.aa9 - The date the ransomware became active.
  • data.aa11 - Unknown purpose
Unfortunately, there is no dropper available at this time, so it is making it difficult to fully analyze the infection. Once we receive the dropper, we can provide a more thorough analysis. There is an active support topic here for those who want to ask questions or discuss the Locker ransomware.
 

Locker Ransomware Support Topic


A big thanks for Fabian Wosar of Emsisoft and Nathan Scott for assisting me with the analysis.


BC AdBot (Login to Remove)

 


m

#2 DanoNH

DanoNH

    Bleepin' Engineer Geek


  • Security Colleague
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:02 AM

Posted 25 May 2015 - 01:50 PM

Can't wait to see this one eradicated!  Pure evil, I say! :devil:


If I haven't replied within 48 hours, or your thread is closed due to inactivity, contact me via PM.
Please don't PM me for malware help. Post in the proper forums instead.
Please let us know if a suggestion helped or not... We want to know! :geek:
My Time Zone: UTC -4:00 | Proud Graduate of GeekU | Member of UNITE
The help I provide is absolutely free, but if you'd like to support and encourage me, you can do so here --------------> btn_donate_SM.gif
security.danonh_zpsqgbzwhzv.png unite.png


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:02 AM

Posted 25 May 2015 - 01:53 PM

Can we expect new variants that will be set to activate at a later date, now that we're past May 25th?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 devileyes921

devileyes921

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:02 AM

Posted 25 May 2015 - 01:58 PM

I really hope You guys find a solution for this ransomware, it ruined most of my Data files that i keep with me :(
 



#5 technonymous

technonymous

  • Members
  • 2,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 AM

Posted 25 May 2015 - 03:38 PM

I thought I would step in here and offer some help. It's likely those unknown exe files are unsigned. So with that information you can use Microsoft's sysinternals security tool sigcheck.exe and output it's findings to a text file. This will help narrow down your searches for any strange exe files.

 

Link to sigcheck download.

https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

 

Link on how to use sigcheck.

https://www.microsoftpressstore.com/articles/article.aspx?p=2224373

 

Here's an example once I downloaded and extracted the file in my downloads folder on E: drive.

 

Note: the *.exe wildcard and pipe to generate an output file of whatever sigcheck finds.

 

E:\Downloads\Sigcheck>sigcheck -u -s -e -a -h C:\Windows\SysWOW64\*.exe > E:\unsigned.txt

 

Hope that helps you all out.

 

~Technonymous



#6 optimus_prime

optimus_prime

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2015 - 03:58 PM

Hello everyone!

Unfortunately I was infected with this crap... version 3.56. I run Malwarebytes and I can confirm that this disinfect my PC.

I have the key and the files encrypted list. 

I put my PC available for analisys. Please tell me what to do. I can also give you a teamviewer access. You have 100% my support!

 

As a measure I uninstall flash player and I block it in IE, Chrome and Firefox. For me, flash player is dead! Adobe...I cannot say how many bad language was flying on my mouth...


Edited by optimus_prime, 25 May 2015 - 04:02 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:02 AM

Posted 25 May 2015 - 04:03 PM

Hi optimus_prime,

 

do you know how you got infected?

 

regards

myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 optimus_prime

optimus_prime

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2015 - 04:08 PM

Hi myrti!

 

Today I came home at 16:45 EET from job; my girl power on the PC at 12:30 EET, and turn on the minecraft server. Also she watch some youtube videos. I spoke with a friend of mine and he said that suspect flash player... We will find out the truth... 



#9 darkelf13

darkelf13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2015 - 04:15 PM

Hi,

I spent half of a day trying to fix this... I was infected with v3.93... everything as described by others.

I managed to delete all the folders: steg, tor and rckl, but backuped rckl.

I have VERY important files and I'm thinking of paying the 25$ rasnom... Will it work after i deleted the virus??

http://decryptcryptolocker.com/ is not working because its different virus...

So what to do =\?

 

No backups or shadow copies =\...


Edited by darkelf13, 25 May 2015 - 04:16 PM.


#10 throwaway314

throwaway314

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 25 May 2015 - 04:17 PM

Hi myrti!
 
Today I came home at 16:45 EET from job; my girl power on the PC at 12:30 EET, and turn on the minecraft server. Also she watch some youtube videos. I spoke with a friend of mine and he said that suspect flash player... We will find out the truth... 

Is your copy of Minecraft from TeamExtreme?

Edited by throwaway314, 25 May 2015 - 04:17 PM.


#11 stick_man

stick_man

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 25 May 2015 - 04:18 PM

Hi all,

 

Unfortunately my computer was infected with Locker v.3.49. The only software I could think of that could have caused it is a software I installed called " MiniTool Partition Wizard".

http://www.partitionwizard.com/resizepartition/resize-fat32-partition.html

 

I ran the overnight to extend my hard drive, but it didn't do the job at all.



#12 optimus_prime

optimus_prime

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2015 - 04:18 PM

darkelf13 sorry to hear that! Did you copy the key? And list of the infected files? 

#13 darkelf13

darkelf13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2015 - 04:20 PM

Yes I did,

Also I dont know how I got this...I wasnt watching porn today and the only email/website I opened was from university



#14 throwaway314

throwaway314

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:02 AM

Posted 25 May 2015 - 04:20 PM

The only software I could think of that could have caused it is a software I installed called " MiniTool Partition Wizard".


Do you play Minecraft, or have you installed it in the past on the infected PC?

#15 optimus_prime

optimus_prime

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 May 2015 - 04:21 PM

throwaway314 to be honest it is not... I play only in LAN. I don't think  java is involved, because I play from 1 month so why now?


Edited by optimus_prime, 25 May 2015 - 04:25 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users