LockCrypt

The team at Malwarebytes has identified a weakness in the encryption scheme utilized by the LockCrypt ransomware that they can exploit to recover a victim's data.

The flaw —explained in a Malwarebytes report here— resides in the fact that the LockCrypt crew decided to roll out a custom encryption scheme instead of using proven systems.

Researchers' efforts were also aided after discovering a LockCrypt sample that was not obfuscated or crypted, allowing investigators access to the ransomware's internal structure in great detail.

With the new info that researchers gathered, they were now able to provide help to victims who got infected by this threat.

LockCrypt ransomware installed after RDP attacks

The LockCrypt ransomware was first spotted last June. Researchers believe the LockCrypt gang had previously distributed versions of the Satan ransomware. The most high profile case of a LockCrypt infection happened in December last year when crooks managed to infect the network of Mecklenburg County in North Carolina.

There was little activity from this ransomware variant because the LockCrypt group didn't mass-distribute their malware via email spam or exploit kits, but they broke into organizations' networks via RDP and manually installed the ransomware on compromised computers.

The ransomware went through three different phases, classified based on the file extension they used to signal encrypted files —the first when crooks used the .lock extension, then .2018, and the third when they switched to .1btc.

LockCrypt described as sloppy, unprofessional

"LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional," the Malwarebytes team says.

"Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated."

Victims who need assistance in decrypting their files can contact security researcher Michael Gillespie or ask for help on the Bleeping Computer LockCrypt support forum.

Image credits: Creative Stall, Bleeping Computer

Related Articles:

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

The Week in Ransomware - November 23rd 2018 - STOP, Dharma, and More

CommonRansom Ransomware Demands RDP Access to Decrypt Files

The Week in Ransomware - October 26th 2018 - Decryptors, RaaS, and More

Company Pretends to Decrypt Ransomware But Just Pays Ransom