Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Powerware Locky Ransomware Help & Support Topic - .locky _HELP_instructions.html


  • Please log in to reply
8 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:30 AM

Posted 23 July 2016 - 11:51 AM

The Unit 42 Palo Alto Networks Threat Intelligence Team discovered a new Powerware Ransomware variant that pretends to be Locky.  When installed, the PowerLocky executable will extract and execute as PowerShell script located at %USERPROFILE%\AppData\Local\Temp\Quest Software\PowerGUI\51daca6d-6a9a-44c8-9717-f8cc5c68d10e\fixed.ps1.

Once executed, the ransomware will scan all drives for certain file types and encrypt them using AES encryption. When a file is encrypted, it will have the .locky extension appended to the filename. In each folder that a file is encrypted, it will create the _HELP_instructions.html ransom note, which impersonates the ransom notes left by Locky.

File types targeted by this ransomware are:
 
.docx, .xls, .pdf, .xlsx, .mp3, .jpeg, .jpg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .r00, .r01, .r02, .r03, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .mm6, .mm7, .mm8, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .iso, .isz, .md0, .md1, .md2, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .t01, .t03, .t05, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .8ba, .8bc, .8be, .8bf, .8bi8, .bi8, .8bl, .8bs, .8bx, .8by, .8li, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .md3, .1cd
A decryptor has been made Michael Gillespie that can decrypt this particular variant of PowerWare.  The decryptor can be found here: http://www.bleepingcomputer.com/download/powerlockydecrypter/.
 


ransom-note.png
PowerWare Locky Ransom Note

powerlockydecryptor.png
PowerWare Locky Decryptor



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 23 July 2016 - 03:37 PM

A decryptor has been made by the Unit 42 team that can decrypt this particular variant of PowerWare. Unfortunately, this decryptor requires Python, but I am sure if this ransomware becomes prevalent, a native Windows decryptor can be made.

 

Here's a GUI decrypter for this one, I'm calling it PowerLocky. :)

 

https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip

 

CoE6AlQVUAAUqOi.jpg

 

Simply select the directory, and hit "Decrypt".

 

Note this is NOT a decrypter for the real Locky.

The decrypter will detect if files were hit by the real Locky, and warn you about it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Gianng

Gianng

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 23 July 2016 - 11:44 PM

Hi, I tried but unsuccessful!



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 23 July 2016 - 11:53 PM

Hi, I tried but unsuccessful!

 

Please post a few files that were not successfully decrypted. You can use a third-party sharing site such as SendSpace.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Gianng

Gianng

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 24 July 2016 - 12:06 AM

 

Hi, I tried but unsuccessful!

 

Please post a few files that were not successfully decrypted. You can use a third-party sharing site such as SendSpace.

 

 

 

Hi these are  links of 3 files, one is _help_instruction.htm

 

https://www.sendspace.com/file/zgr0l9

 https://www.sendspace.com/file/4vht6j

https://www.sendspace.com/file/tdo2ua

 

tks



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,471 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:30 AM

Posted 24 July 2016 - 12:12 AM

Hi these are  links of 3 files, one is _help_instruction.htm
 
https://www.sendspace.com/file/zgr0l9
https://www.sendspace.com/file/4vht6j
https://www.sendspace.com/file/tdo2ua
 
tks

 
I'm afraid you were hit by the real Locky. ID Ransomware and PowerLockyDecrypter will both alert you of this (specifically why I added that feature). There is no way to decrypt your files without paying the ransom or restoring from backups. See the proper support topic for more information.


Edited by Demonslay335, 24 July 2016 - 12:12 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 Amigo-A

Amigo-A

  • Members
  • 479 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:30 PM

Posted 24 July 2016 - 10:43 AM

GUI Decrypter - it's great!!!

Thanks, Demonslay335!!!


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#8 djbillyd

djbillyd

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 31 July 2016 - 07:55 PM

I uploaded the ransome note. Decrypting was 0 files. So, the ransome note is jacked up too? The examination said that there was no decryptor for that /locky type, but the next panel had a decryptor. That was the unsuccessful process.



#9 madona1

madona1

  • Banned Spammer
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:30 AM

Posted 25 August 2016 - 01:59 PM

Very good tool, I used to work
Thank you :guitar:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users