Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worried about Locky


  • Please log in to reply
3 replies to this topic

#1 Magus75

Magus75

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 14 January 2017 - 06:44 PM

Hi there

 

I was trawling through my windows registry and stumbled across a folder named "Locky". I remember seeing information about this kind of ransomware.

 

There doesn't appear to be anything in any keys and I see a Locky folder in other registry hives but nothing showing for keys when I look at those.

 

01.14.2017-17.40.png

 

I'm not seeing the other things mentioned in the artcile such as text files or locky screens or whatever.  But I understand that once you are infected, it works a while before it hits.

 

Is there any cause for alarm here?

 

Appreciate any advice... Rick :)



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:39 AM

Posted 15 January 2017 - 09:16 AM

Any files that are encrypted with actual Locky Ransomware will be renamed with random alpha-numerical characters and have the .locky, .zepto, .odin, .bleep, .thor, .aesir, .zzzzz, or .osiris extension appended to the end of the encrypted data filename in the following format [unique_id][identifier].locky. Older Locky variants will store various information in the registry under the following keys:

  • HKCU\Software\Locky\id - The unique ID assigned to the victim.
  • HKCU\Software\Locky\pubkey - The RSA public key.
  • HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.
  • HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer

Newer Locky variants do not create HKCU\Software\Locky registry entries anymore.
 
If these keys are present, then either the system is infected with an older variant and there will be other obvious indications (signs of infection)
or some security/anti-ransomware software was installed and added the entries as a vaccine to prevent infection...the old Locky variant is not able to encrypt any files if these registry entries are present. According to several folks commenting here, Bitdefender Crypto-Ransomware Vaccine will create the HKCU\Software\Locky\ entry. Other security products may create the same entries as protection against infection.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Magus75

Magus75
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:39 AM

Posted 15 January 2017 - 04:26 PM

Appreciate the info!



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:39 AM

Posted 15 January 2017 - 04:27 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users