Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.Locked Ransomware


  • This topic is locked This topic is locked
10 replies to this topic

#1 Sein

Sein

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 27 August 2016 - 11:57 PM

Dear All,
 
I just reinstall my windows 10 and downloaded some programs and noticed the command is prompt and automatically cloase. Then i found my SSD has some long extension file .locked .
Today I opened my files and most of them are encrypted to .locked file. I connect with external HDD to my pc . All of my personal datas was encrypted and how could be decrpted. My question is how was infected that ransomware to my pc and how to encrypt.
 Kindly answer and thanks in advance
 
Sein
 

 



BC AdBot (Login to Remove)

 


#2 canaanite

canaanite

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Israel
  • Local time:10:45 AM

Posted 28 August 2016 - 06:30 AM

Have a look at the topic : 
http://www.bleepingcomputer.com/forums/t/601765/locked-ransomware-support-and-help-topic-read-ittxt/page-6
You might find there some useful info



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 28 August 2016 - 07:07 AM

CryptoShocker, Stampado, BankAccountSummary, RAA-SEP, Uyari, PokemonGo, Russian EDA2, JobCrypter, Zyklon Locker (GNL), KimcilWare Ransomware and LOCKED Ransomware all append the .locked extension to the end of the affected filename.

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance. If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

You can also submit samples of encrypted files, ransom notes, email or/and website address you see in the RANSOM DEMAND to No More Ransom Crypto Sheriff for assistance with identification and possible decrypting solutions. If you are provided any information it would be helpful to post it here for Demonslay335 to review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 MRagusta

MRagusta

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:03:45 PM

Posted 30 August 2016 - 06:51 AM

I have the exact problem with this ransomware that I don't know the name. Here's the detail :

  •  Almost all my document files (doc, xls, ppt, etc), pictures, and some mp3 files are encrypted. Those encrypted filename changes to <Random Characters>.locked. For example 3CF49B88CC4C26A693C15B6B095C1D6BA4184D40AB11B50C7AC4768C051AE62D277492DE.locked as you can see it on picture below :Encrypted_Files.jpg
  • I don't see any kind of ransom notes (or maybe I can't find it), so I can't determine the name.
  • I also analysed one of the encrypted data on malwr analysis website. Here's the link https://malwr.com/analysis/MDc3MWMzYTlmZDZjNDZjMzhlZmQ0ZjQ5ZTMwZTVlZDE/ (I don't know if this right) and I also upload one of the encrypted file on this link https://www.dropbox.com/s/jivtxftnh6mmima/Encrypted%20File.rar?dl=0
  • I also analysed it on id-ransomware.malwarehunterteam.com and this is result, but I don't think it's right.Ransom_ID.jpg

 

I've search everywhere to decrypt the file, but I don't find any way to do it. So please, If anyone here can help me to solve this problem (Decrypt the file and remove the malware forever) I would be very grateful. Thank you very much!


Edited by MRagusta, 30 August 2016 - 06:59 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 30 August 2016 - 07:20 AM

ID Ransomware indicates you are dealing with one of this infections.

BankAccountSummary RansoBank_Account_Summary.pdf.exe & WindowsUpdate.locked Ransomwaremware Support Topic
JobCrypter Support Topic (.locked) - Readme.txt, Comment débloquer mes fichiers
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 MRagusta

MRagusta

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:03:45 PM

Posted 30 August 2016 - 07:28 AM

I've searched for both infections, but I can't find any ransom notes as those topic says and also decrypter for both of them can't decrypt my file. Thank you quiteman7 for replying my post.


Edited by MRagusta, 30 August 2016 - 07:34 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 30 August 2016 - 07:36 AM

In some cases ransomware does not always do what it is supposed to do so maybe no ransom notes were left. Demonslay335 will most likely read this topic later today and provide his assessment.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 MRagusta

MRagusta

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indonesia
  • Local time:03:45 PM

Posted 30 August 2016 - 07:45 AM

In some cases ransomware does not always do what it is supposed to do so maybe no ransom notes were left. Demonslay335 will most likely read this topic later today and provide his assessment.

Alright then, I'll be waiting for the upcoming info about this from Demonslay335. Thank you again for replying. 



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 30 August 2016 - 07:47 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:45 AM

Posted 31 August 2016 - 06:40 AM

This is a new strain of Stampado that Fabian discovered just the other day. I added a detection rule for it yesterday to ID Ransomware. It is still under analysis, no info on whether it is decryptable like its older version yet.

 

There is no ransom note left, as it shown on the program's screen itself when it has finished encrypting.


Edited by Demonslay335, 31 August 2016 - 06:42 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:45 AM

Posted 31 August 2016 - 08:19 AM

Since the infection has been confirmed as a Stampado variant, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users