LockCrypt .1BTC Variant Installed Over Hacked Remote Desktop Services

Today a reader sent me info regarding the LockCrypt Ransomware being actively distributed over hacked remote desktop services. This variant, when installed, will encrypt a victim's files and then append the .1btc extension to encrypted file names.

For those not familiar with the LockCrypt Ransomware, AlienVault has a good writeup about an older version. In summary, attackers will look for accessible computers running Remote Desktop Services and try to brute force login credentials. Once they are able to login to a computer, they will execute the ransomware on as many computers in the network as they are able to access.

The ransomware developers then provide contact info where a victim can pay a certain price for a single machine decryption or a reduced price if decrypting multiple machines.

This version works the same way, but the developers have changed the extension appended to file names and are using different contact email addresses. This variant has been distributed since the end of December 2017 and when encrypting files will base64 encode the file name and then append the .1btc exension to the filename. You can see an example of this from the image sent to BleepingComputer.

LockCrypt will then create ransom notes on the infected machine with the file name Restore Files.TxT. These ransom notes contain a unique victim ID and instructions to email  Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch in order to receive payment instructions.

It is currently unknown how much the attackers are asking for a ransom payment, but based on the extension it may be 1 bitcoin per machine.

Finally, LockCrypt adds a legal notice to the victim's machine that displays an alert about the computer being encrypted before a user even logs in.

Unfortunately, this ransomware cannot be decrypted for free. For those who are infected or wish to discuss this ransomware, you can use our LockCrypt Help & Support topic.

How to protect yourself from the LockCrypt Ransomware

In order to protect yourself from ransomware in general, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

As LockCrypt is installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

• Backup, Backup, Backup!
• Do not open attachments if you do not know who sent them.
• Do not open attachments until you confirm that the person actually sent you them,
• Scan attachments with tools like VirusTotal.
• Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
• Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
• Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

IOCs

Ransom Note Text: 

Your ID xxx
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail support: Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch
Write this ID in the title of your message
In case of no answer in 24 hours write us to theese e-mailssupport: Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb(nonarchived), and files should not contain valuable information.
(databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site.Youhave to register, click 'Buy bitcoins', and select the sellerbypayment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins andbeginnersguide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software,it may cause permanent data loss.
Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.

Email Addresses:

Jacob_888jk@aol.com
Jacob_888jk@bitmessage.ch

Associated Files:

Restore Files.TxT