Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LOCKED Ransomware Support and Help Topic - Read_it.txt


  • Please log in to reply
91 replies to this topic

#1 shahanna2006

shahanna2006

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:25 AM

Posted 09 January 2016 - 06:38 AM

ransomware .locked

Edited by Grinler, 09 March 2016 - 11:21 PM.
Moved from Crashes/BSODs to General Security - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 47,838 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:25 AM

Posted 09 January 2016 - 08:32 AM

Welcome to BC.

Are you saying that .locked extension has been appended to your files...i.e. <file name>.jpg.locked or <filename>.<original_extension>.locked

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

These are some examples:

HELP_DECRYPT.TXT, HELP_YOUR_FILES.TXT, HELP_TO_DECRYPT_YOUR_FILES.txt
HELP_RESTORE_FILES.txt, HELP_TO_SAVE_FILES.txt, RECOVERY_KEY.txt, DecryptAllFiles.txt
DECRYPT_INSTRUCTIONS.TXT, INSTRUCCIONES_DESCIFRADO.TXT, How_To_Recover_Files.txt
DECRYPT_INSTRUCTION.TXT, HOW_TO_DECRYPT_FILES.TXT, ReadDecryptFilesHere.txt, About_Files.txt, 
FILESAREGONE.TXT, IAMREADYTOPAY.TXT, HELLOTHERE.TXT, READTHISNOW!!!.TXT, SECRETIDHERE.KEY
IHAVEYOURSECRET.KEY, SECRET.KEY, Help_Decrypt.txt, HELP_DECYPRT_YOUR_FILES.HTML
YOUR_FILES.HTML, DecryptAllFiles_<user name>.txt, encryptor_raas_readme_liesmich.txt
DecryptAllFiles_.txt, RECOVERY_FILES.txt, help_decrypt_your_files.html, YOUR_FILES.url
Howto_RESTORE_FILES_.txt, RECOVERY_FILE.TXT, RECOVERY_FILE_.txt, restore_files_.txt
howto_recover_file_.txt, how_recover+****.txt, ,_how_recover_.txt, recover_file_*****.txt

Note: The (*) represents random characters which some ransom notes names may include.

Once we have identified which particular ransomware you are dealing with, I can direct you to the appropriate discussion topic for further assistance.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Simonk1974

Simonk1974

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 09 March 2016 - 02:07 PM

I have the same issue here - files have .locked appended - desktop background change to warning and a read_it.txt on desktop explaining what to do:

 

Uh oh.  It looks like your data has been the victim of the encryption thief.  Your files have been encrypted with AES: search your drive for "locked" if you don't believe me .  Unfortunately you're going to have to pay some money to get your files back and your fee is approximately $200 in US Dollars.  I'll get right to the ugly details for that:
 
* You have 72 hours to make this happen as of 9/03/2016 8:36:32 AM.  Otherwise, your files are lost for good.  I will delete the necessary code for all time and I don't even have to revisit your machine to do it.
* You will be paying by Bitcoin.  Don't worry, it is easy to figure out.  Your fee is xxxxxxxxxxx BTC.  Pay this amount precisely, or I might not know who it was that paid in order to rescue them.
* Use LocalBitcoins.com.  It isn't hard to use, there are numerous ways to pay for my bitcoins on there, and most importantly, it is fast.  Did I mention you have 72 hours?
* The address you will be sending the bitcoins to is 192awRvM4V8LS24GSHj6o3v2fVQ5QYh4pB .
* Then you will wait for me to get the unlock code for you.  Your code will be shown here, http://let-me-help-you-with-that.webnode.com/ , under the amount you paid.  This may take a day or so: you are on my schedule now :P
* Once you have the code, you can unlock your files as follows:
*** Go to your Start Menu
*** In the search field, type "cmd".
*** Right click the cmd program.
*** Click Run As Administrator (doesn't have to be but files might be missed otherwise)
*** Click Yes to allow it to run like that.
*** Type "cd C:\Users\simon"
*** Type "Decrypter.exe <Your Code>"
 
the figure xxxxxx is over $250 AUD
trying kaspersky rakhni decryptor says it found the decrypt key and is decrypting but all the files it decrypts are unreadable (i chose not to delete originals) - found this in the registry that does not look right:
 
[HKEY_CURRENT_USER\SOFTWARE]
"8W47D3WiEkslBWpEiER4rg=="="kvIoscw8kHpM7oC4RcbDdQ=="
"evsHLA7eYt6tyktXx8MxhQ=="="WuW95hJv2Wh4SE2on0oMnA=="
"xO0eNQHkfaU9zLEHUdPhYQ=="="nXDiXSpwujDWj2S/xq5d1g=="
"W6OH4utRs22Ms49IBkov0A=="="InY4X/Yk1Kaxd/ZBNu0LpA=="
"PTH"="C:\\Users\\simon\\AppData\\Roaming\\svchost.exe"
"MTX"="2d59ba57c7a364f6453cfac27038f89b3f0a6d44"
"PRC"="10768"
"U3vkERNwC1HbQPw86oBWtA=="="zCEBcpy2cyywy6exBTK/rw=="
"dhKcjZFO/B/XlllOLiPLNw=="="MMkJLJal6F9zJPSUf8rTwyLr+JU5jd0MNoITIlN0G+qCbr+ZYCeUFLiA4lZN5GgLIvvoP2Mr8cphlVMqiu2G3PIWhlhu+gGlgHiBpXDxUyw="
"H/zNt4Gqyzw+Tj0v9MuuVw=="="SYzUjb4EIdGTbTgWawkZCxPf/U/FoUTypSNL4w78a2U="
"DfvYUq32smB94ebUL8Nen4HIndU+NU6DOmPqvvoRlg0="="aj+9oTVUQJe/FfelOWac3kEByZ1Wbfsn+yHZuXNlKoOJ0U1K4CJLTzKMSbq6Wna9"
"yygGf/MYEUfmlEhe2r/Wjw=="="rktRSxWhm01vXQk9ujaTrw=="
 
Checked for files in the Program Data folder and there is nothing??
 
 
 
 
HELP ME PLEASE!!!!

 



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 02:19 PM

This sounds like it could potentially be new. I'm only aware of the EDA2 and HiddenTear projects using the ".locked" extension. The wording is different than the ransom notes they dropped by default, but since they were open-source projects, someone could have modified them. Otherwise, could be completely different.
 
We'll need sample files (preferably PNG), including clean copies if you can. Then, we need to find a sample of the malware for analysis.
 
Please run HitmanPro and upload the log (skip deletion of infections for now, we want a sample before cleaning it out) to a sharing service such as PasteBin or SendSpace, and post the link here for checking.
 
Also, if you could submit the Decrypter.exe. Please submit it to the submission links here and here with a link to this topic. If you could also upload it to SendSpace and send me a PM (do not post it here), I can try taking a look at if the decrypter gives any clues on the encryption scheme used.


Edited by Demonslay335, 09 March 2016 - 02:20 PM.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 02:22 PM

I think I found a sample on Malwr.

 

https://malwr.com/analysis/ZWEzM2I4OTA3NDZhNGZjZThmNDEzMGMyNGFiYTYzOWQ/


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 02:33 PM

I've decompiled the malware, and it looks based on EDA2. I'm not seeing a weakness so far, but I'll let Fabian/Nathan be the judge on that.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#7 MalwareBlocker

MalwareBlocker

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Everywhere
  • Local time:06:25 AM

Posted 09 March 2016 - 02:59 PM

Demonslay335, you are right.

The creator of EDA2 is working on it right now: https://twitter.com/utku1337/status/707656700187254784 Hopefully he will can help.



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 02:59 PM

Here's a complete list of file types it scans for. It is hard-coded to attack drive letters mapped C-K, nothing more sophisticated. It skips files larger than 1GB it looks like, and the Windows directory. Encryption is done with AES using a cryptographically-strong random generated 32-character string, and the key is protected with RSA-2048 before being sent to their server. The ransom note dropped is called "READ_IT.txt", and is dropped on the desktop.
 
Here's the background it sets.
 
http://i.imgur.com/By3yCwd.jpg

".txt", ".doc", ".docx", ".xls", ".xlsx", ".pdf", ".pps", ".ppt", ".pptx", ".odt", ".gif", ".jpg", ".png", ".db", ".csv", ".sql", ".mdb"".sln"".php", ".asp", ".aspx", ".html", ".xml", ".psd", ".frm", ".myd", ".myi", ".dbf", ".mp3", ".mp4", ".avi", ".mov", ".mpg", ".rm", ".wmv", ".m4a", ".mpa", ".wav", ".sav", ".gam", ".log", ".ged", ".msg", ".myo", ".tax", ".ynab", ".ifx", ".ofx", ".qfx", ".qif", ".qdf", ".tax2013", ".tax2014", ".tax2015", ".box", ".ncf", ".nsf", ".ntf", ".lwp"

 
@MalwareBlocker
 

Thanks, I sent him the sample and server probably 15 minutes before that tweet.


Edited by Demonslay335, 09 March 2016 - 03:01 PM.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 03:11 PM

Lol, the decrypter sets this as the background once you've paid and all.

 

http://i.imgur.com/eROA81P.jpg

 

Their decrypter is destructive and does not backup files, or even check if the entered key is correct, just like the original project. If you enter the wrong key, or have a copy/paste fail, your data could be irreversibly corrupted.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 03:15 PM

@Simonk1974 and @shahanna2006
 
Please post sample encrypted files. I want to test something.

Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#11 MalwareBlocker

MalwareBlocker

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Everywhere
  • Local time:06:25 AM

Posted 09 March 2016 - 03:17 PM

Lol, the decrypter sets this as the background once you've paid and all.

http://i.imgur.com/eROA81P.jpg

Looks better than the one it sets after encrypting. :)
 

Their decrypter is destructive and does not backup files, or even check if the entered key is correct, just like the original project. If you enter the wrong key, or have a copy/paste fail, your data could be irreversibly corrupted.

Someone should create a better one. Maybe Utku?
 

@MalwareBlocker
 
Thanks, I sent him the sample and server probably 15 minutes before that tweet.

And he got it? Because he asked for sample some tweets before.



#12 Simonk1974

Simonk1974

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 09 March 2016 - 03:22 PM

I have uploaded the decrypter  using the links and the log is here:

https://www.sendspace.com/file/nvlgbw

and sample png:

https://www.sendspace.com/file/vtyher

 

I cannot find originals of any of the files - it deleted all shadow copy / previous versions on my drives C D E - all responses here are what I am seeing at this end - thanks for your help - fingers crossed



#13 Simonk1974

Simonk1974

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 09 March 2016 - 03:25 PM

I started running the decrypter and it looked like it was doing something but did not change any files or delete anything so I cancelled it



#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:25 AM

Posted 09 March 2016 - 03:32 PM

 

Their decrypter is destructive and does not backup files, or even check if the entered key is correct, just like the original project. If you enter the wrong key, or have a copy/paste fail, your data could be irreversibly corrupted.

Someone should create a better one. Maybe Utku?
 

@MalwareBlocker
 
Thanks, I sent him the sample and server probably 15 minutes before that tweet.

And he got it? Because he asked for sample some tweets before.

 

 
I sent him the Malwr samples at 1:40PM my time (CST). I have a version of the HT decrypter I modified that is a bit better, but isn't as safe as I'd like it for full public release. Still seems to be much better, as it doesn't hang, gives progress, and lets you select a directory versus blindly attempting all drives.
 
 

I started running the decrypter and it looked like it was doing something but did not change any files or delete anything so I cancelled it

 
The decryptor requires the password to be passed at the command line. I really hope you did not corrupt your data by running it natively - it does no check to see if you actually passed it a password.


Posted ImageID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

Posted Image RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

Posted ImageCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]


#15 utku1337

utku1337

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:25 AM

Posted 09 March 2016 - 03:37 PM

It's an eda2 variant. I retrieved the private keys from c&c server by using my backdoor. (it's still up 23.227.199.175)
 
Effected pc names (total=656) : http://utkusen.com/pc.txt
 
Keys: http://utkusen.com/keys.zip

 

Keys file both have private key and encrypted AES key. It can be decrypted with this code (taken from eda2's admin panel / requires phpseclib)

<?php


set_include_path(get_include_path() . PATH_SEPARATOR . 'lib');
include('lib/Crypt/RSA.php');

$rsa = new Crypt_RSA();

$privatekey = "private key here";
$ciphertext = "encrypted text here";
$rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
$rsa->loadKey($privatekey);
//echo $privatekey;
echo $rsa->decrypt(base64_decode($ciphertext));

private key starts with "<RSAKeyValue>" and ends with "</RSAKeyValue>" the string which comes later than "</RSAKeyValue>" is encrypted text. 

 

Decrypted text will be your AES key. You can use it to decrypt your files with decrypter program.

 

However, I'm really busy these days and can't decrypt all of them. If there is someone who can automatize the process it will be great. 

 

Hidden Tear's decrypter will be work on this. Only the directory section should be changed. I can compile a proper one in Friday.


Edited by utku1337, 09 March 2016 - 03:53 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users