Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker ransomware hides until midnight on May 25th and then encrypts your data


  • Please log in to reply
78 replies to this topic

#16 devileyes921

devileyes921

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 25 May 2015 - 04:26 PM

Okay guys, can anyone help guide me on what to do, To Disinfect my PC from this Program and how do i keep copies of the Data files from the Malware program and how do i keep them somewhere safe till you guys can find use of those files ?
I still dunno what program to use in regards to disinfection, i'm still a total Novice at this



BC AdBot (Login to Remove)

 


m

#17 Captain_ChoCho

Captain_ChoCho

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 25 May 2015 - 04:27 PM

Hi there,

    I don't think that the Minecraft version did this.... my gf got the same version by it didn't effect her pc...



#18 darkelf13

darkelf13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 25 May 2015 - 04:27 PM

http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/page-8 so this widespread issue right now...I will check this out tomorrow =\

Good luck to us all.



#19 throwaway314

throwaway314

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 25 May 2015 - 04:31 PM

throwaway314 to be honest it is not... I play only in LAN. I don't think  java is involved, because I play from 1 month so why now?


It activated on May 25th for everyone. It was probably on your computer for a long time and it's only dropped the actual ransom program thing now. Almost everyone I've seen with this (including myself) has had a cracked version of Minecraft on their computer before.

#20 CabalCrow

CabalCrow

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 25 May 2015 - 04:33 PM

I somehow think its not TE minecraft. If it was from them their forum would be full with people with that problem, but the people in the TE forum are no infested with the virus. yet I think that there was a infected setup, maybe it was not the official but maybe people downloaded an infested. I will check today if the setup is the problem.



#21 stick_man

stick_man

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:44 PM

Posted 25 May 2015 - 04:33 PM

 

The only software I could think of that could have caused it is a software I installed called " MiniTool Partition Wizard".


Do you play Minecraft, or have you installed it in the past on the infected PC?

 

 

Unfortunately, I don't play Minecraft. I have downloaded absolutely 0 games in the past few months.



#22 optimus_prime

optimus_prime

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 25 May 2015 - 04:38 PM

throwaway314 if it's minecraft then, i have the original kit. I will scan now and upload to virustotal.com 

#23 CabalCrow

CabalCrow

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 25 May 2015 - 04:43 PM

I found 1 .bin file in SysWOW64, it has random name and I don't think that uninfected PCs should have it. Hope someone can check it on unaffected PC.



#24 Silvix

Silvix

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 25 May 2015 - 05:39 PM

I've fallen victim to this ransomware. Unfortunately I did in fact attempt to download minecraft from a 3rd party website, in hopes of getting it for free. It looks like it's prepared to erase most of my hard drive. Which is unfortunate but I was wondering about the red text warning at the bottom of the application it says "Warning any attempt to remove damage or even investigate the Locker softw will lead to immediate destruction of your private key on our server!" Is it worth trying to remove the Locker files or no?



#25 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 25 May 2015 - 05:56 PM

Don't remove anything yet, the infection won't spread further..neither will it delete or damage your files more than it has already done.

There are some people currently investigating this, but for now there's not much we know about it.

 

You can read more about it here: http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/


Edited by GangXtaZz, 25 May 2015 - 06:03 PM.


#26 robby501

robby501

  • Members
  • 173 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 PM

Posted 25 May 2015 - 06:05 PM

All I can say is thank heaven for people like Grinler and all others associated with the running of this Site.

If I hadn't signed up to this place, I'd still have viruses, PUP's and malware of all sorts running rampant on my pc which would have rendered it unusable.

Thanks for making us aware of all this. The work you guys and girls do here is utterly priceless.


Im a rookie and purely recreational pc user. Im utterly obsessed with security (even though I consider myself a safe and law-abiding internet user!) and run a combo of the following freeware security suites.....

Windows Defender/firewall

Malwarebytes Anti-Exploit

Regular scans with SuperAntiSpyware, Zemana, AdwCleaner

 

 

 


#27 GangXtaZz

GangXtaZz

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 25 May 2015 - 06:13 PM

All I can say is thank heaven for people like Grinler and all others associated with the running of this Site.

If I hadn't signed up to this place, I'd still have viruses, PUP's and malware of all sorts running rampant on my pc which would have rendered it unusable.

Thanks for making us aware of all this. The work you guys and girls do here is utterly priceless.

 

I agree, these guys are awesome!



#28 Silvix

Silvix

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:44 PM

Posted 25 May 2015 - 06:33 PM

Alright so just wait it out until someone figures it out and releases a fix? I'm fairly new to this ransomware stuff so is this one new? If so how new?

Sorry to bombard you guys with questions I just don't want to go through the struggle of wiping my drive and getting everything back.



#29 Pawel03

Pawel03

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 25 May 2015 - 07:00 PM

I had the Locker 1.7 on my laptop today (win7). It appeared after Flash Player update. Microsoft Security Essentials didn't detect it. I also used the combofix but it didn't find the virus as well.
However I thought that it may be a good idea to share this with you:

 

 

(((((((((((((((((((((((((   Files created from 2015-04-25 to 2015-05-25  )))))))))))))))))))))))))))))))
.
.
2015-05-25 18:45 . 2015-05-25 18:45    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-05-25 16:22 . 2015-05-25 16:22    75888    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1DC79548-7461-4152-8FE8-72EE1CC18DC0}\offreg.1004.dll
2015-05-24 22:00 . 2015-05-25 16:22    --------    d-----w-    c:\programdata\rkcl
2015-05-24 21:21 . 2015-05-03 03:16    12214312    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1DC79548-7461-4152-8FE8-72EE1CC18DC0}\mpengine.dll
2015-05-23 15:16 . 2015-05-23 15:27    --------    d-----w-    c:\users\Pawel\AppData\Local\Eclipse
2015-05-23 15:02 . 2015-03-26 18:15    1187344    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{87F371DB-82F9-4943-B108-5455C026FA99}\gapaengine.dll
2015-05-23 15:02 . 2015-05-03 03:16    12214312    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-05-20 16:40 . 2015-05-20 16:40    --------    d-----w-    c:\users\Pawel\AppData\Local\Microsoft Help
2015-05-20 15:21 . 2015-05-20 15:21    --------    d-----w-    c:\programdata\tor
2015-05-20 15:19 . 2015-05-20 15:19    --------    d-----w-    c:\programdata\Digger
2015-05-18 18:54 . 2015-05-18 18:54    --------    d-----w-    c:\program files (x86)\Common Files\Java
2015-05-18 18:53 . 2015-05-18 18:53    --------    d-----w-    c:\program files (x86)\Java
2015-05-17 22:40 . 2015-05-17 22:40    --------    d-----w-    c:\users\Pawel\AppData\Roaming\Softland
2015-05-17 22:36 . 2015-05-17 22:36    --------    d-----w-    c:\users\Pawel\AppData\Local\Startup
2015-05-17 22:36 . 2015-05-17 22:36    --------    d-----w-    c:\programdata\Softland
2015-05-17 22:35 . 2015-05-17 22:35    --------    d-----w-    c:\program files\Softland
2015-05-17 22:35 . 2015-05-17 22:35    --------    d-----w-    c:\program files (x86)\Softland
2015-05-17 22:34 . 2015-05-17 22:34    --------    d-----w-    c:\programdata\regid.2008-09.org.wixtoolset
2015-05-13 00:53 . 2015-05-01 13:17    124112    ----a-w-    c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-13 00:53 . 2015-05-01 13:16    102608    ----a-w-    c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-05-12 22:05 . 2015-05-05 01:29    342016    ----a-w-    c:\windows\system32\schannel.dll
2015-05-12 22:05 . 2015-05-05 01:12    248832    ----a-w-    c:\windows\SysWow64\schannel.dll
2015-05-12 22:05 . 2015-04-18 03:10    460800    ----a-w-    c:\windows\system32\certcli.dll
2015-05-12 22:05 . 2015-04-18 02:56    342016    ----a-w-    c:\windows\SysWow64\certcli.dll
2015-05-12 21:59 . 2015-04-20 03:17    1647104    ----a-w-    c:\windows\system32\DWrite.dll
2015-05-12 21:59 . 2015-04-20 03:17    1179136    ----a-w-    c:\windows\system32\FntCache.dll
2015-05-12 21:59 . 2015-04-20 02:56    1250816    ----a-w-    c:\windows\SysWow64\DWrite.dll
2015-05-12 21:59 . 2015-04-20 02:11    3204608    ----a-w-    c:\windows\system32\win32k.sys
2015-05-11 16:54 . 2015-05-11 16:54    15872    ----a-w-    c:\windows\system32\novami8.dll
2015-05-11 16:54 . 2015-05-11 16:54    18944    ----a-w-    c:\windows\system32\novamn8.dll
2015-05-01 22:07 . 2015-05-01 21:59    627920    ----a-w-    c:\programdata\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exe
2015-05-01 21:47 . 2015-05-20 15:35    --------    d-----w-    c:\program files\Microsoft Office 15
2015-05-01 17:12 . 2015-05-01 17:12    --------    d-----w-    c:\users\Pawel\AppData\Local\openvr
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Section   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-05-25 16:20 . 2014-07-16 14:36    778416    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2015-05-25 16:20 . 2014-07-16 14:36    142512    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-05-18 18:53 . 2015-02-16 13:17    97888    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2015-05-13 00:55 . 2014-07-10 01:07    140425016    ----a-w-    c:\windows\system32\MRT.exe
2015-04-27 19:04 . 2015-05-12 22:00    44032    ----a-w-    c:\windows\apppatch\acwow64.dll
2015-04-22 17:43 . 2015-02-05 19:43    18178736    ----a-w-    c:\windows\SysWow64\FlashPlayerInstaller.exe
2015-03-26 18:15 . 2014-07-11 19:17    1187344    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2015-03-25 03:24 . 2015-04-22 16:30    3298816    ----a-w-    c:\windows\system32\wucltux.dll
2015-03-25 03:24 . 2015-04-22 16:30    98304    ----a-w-    c:\windows\system32\wudriver.dll
2015-03-25 03:24 . 2015-04-22 16:30    37376    ----a-w-    c:\windows\system32\wups2.dll
2015-03-25 03:24 . 2015-04-22 16:30    35328    ----a-w-    c:\windows\system32\wups.dll
2015-03-25 03:24 . 2015-04-22 16:30    2553856    ----a-w-    c:\windows\system32\wuaueng.dll
2015-03-25 03:24 . 2015-04-22 16:30    191488    ----a-w-    c:\windows\system32\wuwebv.dll
2015-03-25 03:24 . 2015-04-22 16:30    696320    ----a-w-    c:\windows\system32\wuapi.dll
2015-03-25 03:24 . 2015-04-22 16:30    60416    ----a-w-    c:\windows\system32\WinSetupUI.dll
2015-03-25 03:23 . 2015-04-22 16:30    12288    ----a-w-    c:\windows\system32\wu.upgrade.ps.dll
2015-03-25 03:23 . 2015-04-22 16:30    36864    ----a-w-    c:\windows\system32\wuapp.exe
2015-03-25 03:23 . 2015-04-22 16:30    135168    ----a-w-    c:\windows\system32\wuauclt.exe
2015-03-25 03:00 . 2015-04-22 16:30    92672    ----a-w-    c:\windows\SysWow64\wudriver.dll
2015-03-25 03:00 . 2015-04-22 16:30    566784    ----a-w-    c:\windows\SysWow64\wuapi.dll
2015-03-25 03:00 . 2015-04-22 16:30    29696    ----a-w-    c:\windows\SysWow64\wups.dll
2015-03-25 03:00 . 2015-04-22 16:30    173056    ----a-w-    c:\windows\SysWow64\wuwebv.dll
2015-03-25 03:00 . 2015-04-22 16:30    33792    ----a-w-    c:\windows\SysWow64\wuapp.exe
2015-03-23 03:25 . 2015-04-22 16:30    726528    ----a-w-    c:\windows\system32\generaltel.dll
2015-03-23 03:25 . 2015-04-22 16:30    769536    ----a-w-    c:\windows\system32\invagent.dll
2015-03-23 03:24 . 2015-04-22 16:30    419840    ----a-w-    c:\windows\system32\devinv.dll
2015-03-23 03:24 . 2015-04-22 16:30    957952    ----a-w-    c:\windows\system32\appraiser.dll
2015-03-23 03:24 . 2015-04-22 16:30    30720    ----a-w-    c:\windows\system32\acmigration.dll
2015-03-23 03:24 . 2015-04-22 16:30    192000    ----a-w-    c:\windows\system32\aepic.dll
2015-03-23 03:24 . 2015-04-22 16:30    227328    ----a-w-    c:\windows\system32\aepdu.dll
2015-03-23 03:17 . 2015-04-22 16:30    1111552    ----a-w-    c:\windows\system32\aeinv.dll
2015-03-10 03:25 . 2015-04-22 16:30    1882624    ----a-w-    c:\windows\system32\msxml3.dll
2015-03-10 03:21 . 2015-04-22 16:30    2048    ----a-w-    c:\windows\system32\msxml3r.dll
2015-03-10 03:08 . 2015-04-22 16:30    1237504    ----a-w-    c:\windows\SysWow64\msxml3.dll
2015-03-10 03:05 . 2015-04-22 16:30    2048    ----a-w-    c:\windows\SysWow64\msxml3r.dll
2015-03-05 05:12 . 2015-04-22 16:30    404480    ----a-w-    c:\windows\system32\gdi32.dll
2015-03-05 04:05 . 2015-04-22 16:30    311808    ----a-w-    c:\windows\SysWow64\gdi32.dll
2015-03-04 17:34 . 2015-03-04 17:34    280376    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2015-03-04 17:34 . 2014-03-11 07:52    124568    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2015-03-04 04:55 . 2015-04-22 16:25    367552    ----a-w-    c:\windows\system32\clfs.sys
2015-03-04 04:41 . 2015-04-22 16:25    79360    ----a-w-    c:\windows\system32\clfsw32.dll
2015-03-04 04:41 . 2015-05-12 21:57    309248    ----a-w-    c:\windows\apppatch\AppPatch64\AcGenral.dll
2015-03-04 04:41 . 2015-05-12 21:57    103424    ----a-w-    c:\windows\apppatch\AppPatch64\acspecfc.dll
2015-03-04 04:10 . 2015-04-22 16:25    58880    ----a-w-    c:\windows\SysWow64\clfsw32.dll
2015-03-04 04:10 . 2015-05-12 21:57    470528    ----a-w-    c:\windows\apppatch\AcSpecfc.dll
2015-03-04 04:10 . 2015-05-12 21:57    2178560    ----a-w-    c:\windows\apppatch\AcGenral.dll
2015-03-04 04:06 . 2015-05-12 21:57    2560    ----a-w-    c:\windows\apppatch\AcRes.dll
2015-03-03 13:17 . 2010-11-21 03:27    295552    ------w-    c:\windows\system32\MpSigStub.exe
2015-02-25 03:18 . 2015-04-22 16:28    754688    ----a-w-    c:\windows\system32\drivers\http.sys

 

^^It comes from my combofix log.

 

P.S. The digger folder was empty. The tor folder wasn't - there were some files including tor.exe.



#30 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,203 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:44 PM

Posted 25 May 2015 - 07:28 PM

I found 1 .bin file in SysWOW64, it has random name and I don't think that uninfected PCs should have it. Hope someone can check it on unaffected PC.


What's the name of the file? You can submit it here for analysis:

http://www.bleepingcomputer.com/submit-malware.php?channel=3




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users