Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alma Locker Ransomware Help & Support (Unlock_files_<rand>.html)


  • Please log in to reply
2 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:15 PM

Posted 22 August 2016 - 01:05 PM

A new ransomware was discovered by ProofPoint researcher Darian Huss calling itself Alma Locker.

 

A victim's files are encrypted with AES-128, and have a random 5-6 character extension added. The ransom note dropped is "Unlock_files_<rand>.html" and "Unlock_files_<rand>.txt", where the <rand> part matches the extension of the files.

 

The ransom note looks like the following image.

 

CqeO4_FVYAAqhq7.jpg

 

The linked Tor link looks like the following image posted by Darian.

 

CqeO36tUMAEjAQ7.jpg

 

This ransomware is currently being distributed by an exploit kit, and has a very low detection rate on VirusTotal.

 

Analysis of this ransomware is still underway.


Edited by Demonslay335, 22 August 2016 - 01:06 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 campuscodi

campuscodi

  • Contributing Editor
  • 9 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:15 AM

Posted 24 August 2016 - 10:25 PM

Free decrypter: https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter

I have not tested it, so use with caution.



#3 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,247 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:15 PM

Posted 24 August 2016 - 11:58 PM

Thanks for the article.

 

It seems their decrypter relies on you still acquiring the key yourself, and they only show getting the key from monitoring the network traffic at time of infection - afraid this is useless for 99% of victims unless a server is seized. Those who have that type of network monitoring in place already are very unlikely to be hit by such a malware. I could've copy pasted the decrypter code into my own too, like I usually do. :P

 

The real thing to check is how the key is generated.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users