Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locky Ransomware (Lukitus) Support and Help Topic - Lukitus.html


  • Please log in to reply
584 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,179 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 AM

Posted 16 February 2016 - 11:34 AM

I haven't seen anyone hit with this yet, but was advised about it by a security firm I'm in contact with. Seems to be copying off of CryptoWall 4.0's strategy of encrypting the filename, but adds ".locky" extension. The ransom note left is "_Locky_recover_instructions.txt". It does attempt to delete shadow copies from the VT analysis.
 
https://www.reddit.com/r/Malware/comments/45xkn9/any_info_on_locky_ransomware/

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 AM

Posted 16 February 2016 - 11:39 AM


I have advised Grinler and the rest of Security Colleagues who specialize in crypto malware ransomware with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,179 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 AM

Posted 16 February 2016 - 11:47 AM

I noticed with the encrypted filenames listed on VT, it is a 32 character string, but the first 16 characters are the same for all files. This could be an identifier for the victim perhaps. Hopefully that means it is a weaker encryption, at least for the filenames.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:24 AM

Posted 16 February 2016 - 06:11 PM

Yup, I saw this yesterday on reddit as well. Put up an article here:

The Locky Ransomware Encrypts Local Files and Unmapped Network Shares

#5 Smsec

Smsec

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 18 February 2016 - 02:34 PM

Today, I got received several fake invoice emails with a .doc that looks to be .locky ransomware. I uploaded them to Malwr.com Cuckoo sandbox. This one generated a screenshot of a notepad file _Locky_recover_instructions.txt with payment instructions

 

Here's the link to the analysis: https://malwr.com/analysis/Y2RjOWE2YzUyODRhNDY4NmFkOGY2MDk1NzVkNTZkYmU/



#6 al1963

al1963

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 20 February 2016 - 12:55 AM

already have encryption cases in the Russian segment with the encoder (Locky Ransomware), in particular http://forum.esetnod32.ru

 

Example of encrypted files:

https://www.sendspace.com/file/69wn0p

 

Locky registry branch

https://www.sendspace.com/file/4qlveo


Edited by al1963, 20 February 2016 - 01:02 AM.


#7 usuariogt

usuariogt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 22 February 2016 - 02:21 PM

Hi al1963, You can help me?.. this is the link... thanks..

https://www.sendspace.com/filegroup/8ZXEq3aY%2BCLgda3zvOGSzSZtEGXkPnaL



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 AM

Posted 22 February 2016 - 06:05 PM

As noted by Grinler, the site owner of Bleeping Computer in this news article.

At this time, there is no known way to decrypt files encrypted by Locky.

 


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 BloodDolly

BloodDolly

  • Security Colleague
  • 472 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Slovakia
  • Local time:03:24 PM

Posted 23 February 2016 - 10:30 AM

This doesn't seem to be breakable except dumping their SQL database on the server.



#10 razor92

razor92

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 26 February 2016 - 03:28 AM

We've found the following connection from an infected machine to a locky CNC server.

POST /main.php HTTP/1.1
Host: 91.121.97.170
Content-Length: 55
Connection: Keep-Alive
Cache-Control: no-cache

\xb7\x8e\x92\xf0\xc8\xf1\xf3[7\xa9\xbc\xc4M>\xf0\x13\xad\xfdz
\x00\xe6\xaa.&\xff_m\x8b'\xbce\xca\xc8>\xb1\x1f72\xed\xd0
{\xe8\x00q\xbb\x1a\x19\xa0\x85\x89\xe10\x0f

Who is able to break the URI of above? We would like to know what has been sent to the CNC server.

 

Thanks!



#11 razor92

razor92

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 26 February 2016 - 12:21 PM

Nobody? :(



#12 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,179 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:24 AM

Posted 26 February 2016 - 12:51 PM

@razor92

 

You have to be patient, not everyone has the same timezone as you. Also, not everyone is hawk-eyed on every topic.

 

It looks like hex to me, so I ran that through a converter blindly, and it doesn't look all too helpful without further context.

·ŽðÈñó©¼Äð­ýæªÿ¼ÊȱríÐè» á

All I found was it pulled up a few samples of the Locky malware itself on Malwr when searching via Google. Afraid I don't know more about how to decipher what it could be at this point.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 razor92

razor92

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 26 February 2016 - 04:56 PM

@razor92

 

You have to be patient, not everyone has the same timezone as you. Also, not everyone is hawk-eyed on every topic.

 

It looks like hex to me, so I ran that through a converter blindly, and it doesn't look all too helpful without further context.

·ŽðÈñó©¼Äð­ýæªÿ¼ÊȱríÐè» á

All I found was it pulled up a few samples of the Locky malware itself on Malwr when searching via Google. Afraid I don't know more about how to decipher what it could be at this point.

Yeah it's from Malwr. I uploaded the sample when it was FUD.

 

I hope there is someone who is able to "decrypt" the piece of code.



#14 tdany92

tdany92

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 27 February 2016 - 05:57 PM

 
Hello, recently I was infected with " locky " . All pictures , my documents were modified and encrypted. With the help of " Recuva " I managed to bring back the name back but can not decrypt . I got the virus from the mail , I was infected both PC and external HDD . PC formatted but I can not afford to lose documents on the hard disk. Do you have any solution ? Thank you very much.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,583 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:24 AM

Posted 27 February 2016 - 06:31 PM

Unfortunately, at this time, there is no known way to decrypt files encrypted by Locky.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. If that is not a viable option and if there is no fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.

Grinler, (aka Lawrence Abrams), the site owner of Bleeping Computer has said this...

If you are affected by ransomware and do not plan on paying the ransom, the best bet it to immediately image the drive before doing anything else. Then in the future if there is a way to decrypt the files you have everything you may need to do so.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users