Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LockCrypt (.lock) Support Topic - ReadMe.TxT


  • Please log in to reply
43 replies to this topic

#1 geeknw

geeknw

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 02 June 2017 - 12:35 PM

Hi everyone,

 

My computer has been attacked last week, probably through RDP.

 

the crypto also encrypts the file names itself.

 

the bitcoin address is 15FWX9vnR2MbT9S2XeCTD5faXGW9RGvsc3

 

I found the actual executable which is called locker.exe, here is more details on the executable https://malwr.com/analysis/YzU5OGQzZGE5MjU2NGJhMDlhZTQ2Yzg3MDI0ZDQzMWI 

 

I uploaded it to id ransomware and it gave me this reference : 8c89c91f0b3367f0c51c22765a5a8fbefd6fb77e

 

Does anyone know something about this particular extension ?

 

Thanks very much for your help


Edited by geeknw, 02 June 2017 - 01:00 PM.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 02 June 2017 - 01:32 PM

Looks new, yet the ransom note looks vaguely familiar...

 

We're looking into the sample you provided, definitely looks to be the ransomware itself.

 

For reference, an example of a renamed file is "blQnAGpWOh1VRXQTeENRVnxPdzFpLQVEYyw-MTRWLE4kCD5fQAd8QihjAgk8YgRJFkJkATYwaTdUKkcKJ1NhCGdPJlJ8FwwQNEQ7IjkBbTdKEj9XYgwWTy0LTjNhHQxbVDhsG2oZ ID <victim ID>.lock". Very messy.

 

Here's the ransom note "ReadMe.TxT". We've seen it with a few email addresses.

 All your files have beenencrypted!
All your files have been encrypted due to a security problemwith your PC. If you want to restore them, write us to the e-mail d_dukens@aol.com or d_dukens@bitmessage.ch
Write this ID in the title of your message
In case of no answer in 24 hours write us to theese e-mails: d_dukens@aol.com or d_dukens@bitmessage.ch
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you thedecryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb (nonarchived), and files should not contain valuable information.
(databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. Youhave to register, click 'Buy bitcoins', and select the seller bypayment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginnersguide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software,it may cause permanent data loss.
Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.

{{IDENTIFIER}}
Your ID [redacted]

We've named this one "LockCrypt". It's so generic, there's really no better name. ID Ransomware will point victims to this topic.

 

Filenames have the pattern "<base64> ID <base64>.lock". There's a possibility it may be decryptable, so stay tuned. :)


Edited by Demonslay335, 02 June 2017 - 03:09 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 geeknw

geeknw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 05 June 2017 - 12:25 PM

It seems the criminals were able to log in from this IP 212.111.192.203 using rdp exploits, then they copied over the virus executable (locker.exe) and a utility called process hacker which they used to kill all important services like sql in order to cause the most damage possible.

 

 

Let me know if you there is anything else I can help out with.

 

 

thanks 



#4 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 05 June 2017 - 03:34 PM

IP point of origin...

 

https://www.speedguide.net/ip/212.111.192.203



#5 bigweasel72

bigweasel72

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 03 July 2017 - 12:11 PM

Has there been an update on how to decrypt this ransomware?



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,210 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:47 PM

Posted 03 July 2017 - 01:01 PM

None as of now. I have some notes on reversing it, but haven't look at it in a while. We looked into it and it has relatively weak crypto, just haven't found a way of attacking it yet.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 bigweasel72

bigweasel72

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 03 July 2017 - 01:13 PM

Thanks for responding, we are looking for a solution as it affected all our pc's, let me know if you find a solution. Appreciate all your efforts.



#8 bigweasel72

bigweasel72

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 03 July 2017 - 03:28 PM

Should we pay the ransom, we seem to be stuck?  Whats your thoughts demonslay335?



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:47 AM

Posted 03 July 2017 - 03:47 PM

Most security experts will advise against paying the ransom demands of the malware writers because doing so only helps to finance their criminal enterprise and keep them in business. One of the reasons that folks get infected is because someone before them paid the bad guys to decrypt their data. The more people that pay the ransom, the more cyber-criminals are encouraged to keep creating ransomware for financial gain. Further, there is no guarantee that paying the ransom will actually result in the restoration (decryption) of your files.

Some ransomware victims have reported they paid the ransom and were successful in decrypting their data. Some victims reported they paid the ransom but the cyber-criminals did not provide a decryptor or a key to decrypt the files, while others reported the key and decryption software they received did not work or resulted in errors. Still others have reported paying the ransom only to discover the criminals wanted more money or threatened to expose data unless additional payment was made. Most cyber-criminals provide instructions in the ransom note that allow their victims to submit one or two limited size files for free decryption as proof they can decrypt the files. However, decryption in bulk may not always work properly or work at all. In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.

Keep all this in mind if you are considering paying the ransom since there is never a guarantee decryption will be successful or that the decrypter provided by the cyber-criminals will work as they claim...and using a faulty or incorrect decryptor may damage or corrupt the files even further. The criminals may even send you something containing more malware...so why should you trust anything provided by those who infected you in the first place.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 bigweasel72

bigweasel72

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 03 July 2017 - 04:16 PM

Demonslay355, sent you a pm with some info I found, maybe that will help you.



#11 kukumber

kukumber

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 July 2017 - 06:11 PM

None as of now. I have some notes on reversing it, but haven't look at it in a while. We looked into it and it has relatively weak crypto, just haven't found a way of attacking it yet.

 

Hi Demonslay335, I am also dealing with a case of LockCrypt. Can you share what information you have about the weak crypto and reverse engineering, and whether a method of decryption has been established yet? Thanks



#12 kukumber

kukumber

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:47 PM

Posted 18 July 2017 - 06:14 PM

Should we pay the ransom, we seem to be stuck?  Whats your thoughts demonslay335?

 

Did you end up paying the attackers?



#13 MrChan

MrChan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 07 August 2017 - 06:28 PM

Hello. Did you find a solution to this problem ??? My network was damaged by this ransomwares. I contacted these people at d_dukens@aol.com and they asked for 1 bitcoin for decrypting one server. The data I really need, I had to pay. The decoder was sent out in 4 hours, everything was decrypted. It's a shame if you already have a free decoder and I spent money (((



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:47 AM

Posted 07 August 2017 - 07:00 PM

There is no new information or a free decrytion tool that I am aware of.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 MrChan

MrChan

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:47 PM

Posted 07 August 2017 - 07:14 PM

So the money was not lost. The work is more expensive, I could lose more while I wait. Are they so invulnerable? (






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users