Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locker ransomware hides until midnight on May 25th and then encrypts your data


  • Please log in to reply
78 replies to this topic

#31 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 25 May 2015 - 07:32 PM

Which is unfortunate but I was wondering about the red text warning at the bottom of the application it says "Warning any attempt to remove damage or even investigate the Locker softw will lead to immediate destruction of your private key on our server!" Is it worth trying to remove the Locker files or no?


These are just scare tactics to get you to pay the ransom. Never has a ransomware actually erased the key like it threatens to do.

BC AdBot (Login to Remove)

 


m

#32 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:11 AM

Posted 25 May 2015 - 07:49 PM

Interesting, to say the least. It's a shame that people put so much into things of this caliber when they could do so much more if they weren't so hellbent on ruining other people's days.



#33 lemsky

lemsky

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 25 May 2015 - 08:52 PM

I believe it came from MinecraftExtreme that I downloaded from torrent. I have 3 units installed with this with deepfreeze so it automatically installs when pc rebooted/booted. 

 

Things done:

 

1.remove from lan

2.unfreeze

3.remove minecraft from uninstall programs

4.delete minecraft folder from %appdata%

5.delete rkcl folder

6.freeze

7.restart

 

after few minutes still pops out :(



#34 cthetruth

cthetruth

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 25 May 2015 - 09:03 PM

Guys its a time bomb it could have sat dormant on your computer for months. I dont think it has anything to do with minecraft I have full ver and Team Xtreme both on mine and my wife's computer neither got hit with this. Also flash update if it was from adobe should not have had it. Also you cant look at what was installed lately on something like this because of the timebomb.



#35 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 25 May 2015 - 10:47 PM

The support topic has been updated to include all the latest information:

Locker Ransomware Support Topic

#36 Lehr

Lehr

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:11 AM

Posted 25 May 2015 - 11:06 PM

The support topic has been updated to include all the latest information:

Locker Ransomware Support Topic

 

Okay, I may sound silly when I ask this buuut~... This came to life 24 hours ago, correct? (It's 12:00 AM, may 26th for me) so people that were infected are already having trouble with it, correct?

 

PS: Sorry if my English is poor, my friend let me use their account to ask while they help fix my laptop @_@.


Edited by Lehr, 25 May 2015 - 11:06 PM.


#37 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 25 May 2015 - 11:18 PM

Yes, this launched on May 25 Midnight (local time for the user)

#38 darkelf13

darkelf13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 25 May 2015 - 11:30 PM

So what should I do? I have work related files that I absolutely have to retrieve...
Is it possible to pay ransom after deleting the virus? (Kept the data files) or should i wait for decryption tool?

#39 dmezh

dmezh

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 25 May 2015 - 11:35 PM

So what should I do? I have work related files that I absolutely have to retrieve...
Is it possible to pay ransom after deleting the virus? (Kept the data files) or should i wait for decryption tool?

So far, it seems to be impossible to pay the ransom after deleting the virus. A decryption tool is possible, but unlikely.

I would just pay the ransom. It worked for me and I have my files back.



#40 xyttra

xyttra

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 26 May 2015 - 12:41 AM

I'd say the infecting piece of software is a suspicious Flash Player4.exe

I downloaded it by accidently clicking on a suspicious non-adobe link. Also day of the infection May the 19th.



#41 Robo11

Robo11

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:U.S.
  • Local time:10:11 AM

Posted 26 May 2015 - 02:12 AM

This Ransomeware stuff is really getting out of hand. There must be some sort of good way to detect this stuff before your files are gone. I guess offline backups are the best way to go for now. 



#42 xyttra

xyttra

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 26 May 2015 - 03:31 AM

Ransomware is threatening us to delete the key to decrypt our files, not the files itself. But probably that's a bluff too.



#43 CabalCrow

CabalCrow

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:11 PM

Posted 26 May 2015 - 03:47 AM

 

I found 1 .bin file in SysWOW64, it has random name and I don't think that uninfected PCs should have it. Hope someone can check it on unaffected PC.


What's the name of the file? You can submit it here for analysis:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

 

I submitted it also I found a folder tor in C:\Users\<Name>\AppData\Roaming. It contains 2 files one is empty(called lock) and the other called state says (in notepad) : 

 

# Tor state file last generated on 2015-05-25 16:11:32 local time
# Other times below are in UTC
# You *do not* need to edit this file.
 
TorVersion Tor 0.2.5.12 (git-1638b1d1abb2ce7c)
LastWritten 2015-05-25 13:11:32


#44 Naught McNoone

Naught McNoone

  • Members
  • 303 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Great White North
  • Local time:04:11 AM

Posted 26 May 2015 - 10:23 AM

 . . . . new ransomware called Locker . . . . dormant until midnight local time on May 25th . . . . activate and encrypt your data files . . . .

 

Just a thought as I was reading everything posted, but is it just coincidence that this went off at midnight on the US Memorial Day?

 

Was it specifically targeted to our American cousins?

 

Tuppance,

 

Naught McNoone



#45 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:11 AM

Posted 26 May 2015 - 10:29 AM

Just a thought as I was reading everything posted, but is it just coincidence that this went off at midnight on the US Memorial Day?
 
Was it specifically targeted to our American cousins?


It's funny you say that. I too noticed the holiday, but went the other way and thought maybe it was released at a time when many companies have limited staff on.

This does have global reach, so definitely not targeted at one country. In fact, some of the first reports on this thread are from outside the US.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users