A new ransomware first spotted by submission to ID Ransomware, and sample found by Karsten Hahn, the Locked-In ransomware encrypts victim's files with AES, and appends a random extension to each file.
The ransom note left behind is "RESTORE_CORUPTED_FILES.HTML" or "RESTORE_NOVALID_FILES.HTML", and looks like the below image.
The following is the text from the ransom note.
Danger! ALL YOUR FILE HAS BEEN LOCKED. YOU HAVE 15 DAYS TO MAKE PAYMENTS What happened to your files? All your files are encrypted and can be restored only after payment. For encryption we used persistent improved algorithm AES256 For each file, generate a unique decryption key and adds a random number of bytes,which makes decryption impossible without the use of a special configuration file,which has all of the information needed to decrypt your files. After encryption, we carefully erased the old blocks on the HDD that did not have the possibility to recover files using special utilities for recovering lost files such as Recuva , etc.. What will happen if I try to restore files? If you yourself attempt to restore a file ,you break the sequence files in the system and once we get our interpreter ,it will not help,as all files are encrypted in a certain order.
The good news is this ransomware is decryptable. If you have been affected by this ransomware, please post in this topic if you need assistance in acquiring your keys. The decrypter will automatically try to search for the keys if ran on the infected system.
Free decrypter is available here: https://download.bleepingcomputer.com/demonslay335/LockedInDecrypter.zip
Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.
Edited by Demonslay335, 17 January 2017 - 06:50 PM.