Since June this year, a group of cyber-criminals has been breaking into unsecured enterprise servers via RDP brute-force attacks and manually installing a new type of ransomware called LockCrypt.

A constant stream of victims have been asking for help with LockCrypt infections on a Bleeping Computer ransomware support forum.

According to experts at AlienVault — who looked deeper into some infections — attackers hit companies in countries such as the US, the UK, South Africa, India, and the Philippines.

LockCrypt gang operating via RDP brute-force attacks

The LockCrypt gang usually breaks into one server, moves laterally to as many machines as possible, and manually runs the LockCrypt ransomware on each system.

Each computer hit by LockCrypt shows a visual and ransom note like the one below, and files are encrypted and feature a new .lock extension.

LockCrypt ransom screen

LockCrypt ransom note

To decrypt locked data, victims must pay ransoms that usually vary between 0.5 and 1 Bitcoin per server, or between $3,500 and $7,000 per machine.

Some companies may face ransom demands of hundreds of thousands of dollars, if attackers manage to compromise a larger number of systems.

LockCrypt gang started on the Satan RaaS

According to the AlienVault team who were called in to investigate some incidents, first versions of the LockCrypt ransomware featured an email address that was previously associated with ransomware strains generated via the Satan RaaS (Ransomware-as-a-Service) portal, launched in January this year.

Satan RaaS Account Page

Experts believe the group might have used a Satan ransomware strain in the beginning and used the profits to code a custom version afterward, which eventually became the LockCrypt ransomware.

LockCrypt is also not your run-of-the-mill strain. The ransomware uses strong encryption, gets boot persistence, deletes shadow volume copies, and runs a batch file that kills all non-Windows core processes, as a way to make sure it stops antivirus solutions or any other process that may affect the subsequent file encryption process.

LockCrypt is just the latest addition to a long list of ransomware families that cyber-criminals don't spread via spam or exploit kits, but rely on RDP brute-force attacks.

Previous ransomware families installed the same way include SynAck, Bit Paymer, RSAUtil, Xpan, Crysis, Samas (SamSam), LowLevel, DMA Locker, Apocalypse, Smrss32, Bucbi, Aura/BandarChor, ACCDFISA, and Globe.

AlienVault and users who reported LockCrypt infections on the Bleeping Computer forum said that attackers usually logged into their network via RDP from 212.111.192.203, an IP address associated with the Ministry of Education and Science of Ukraine.

The LockCrypt gang appears to be making quite the profit from their criminal endeavors. Just three of the many Bitcoin wallet addresses [1, 2, 3] used in ransom notes reveal the group made around $175,000 worth of Bitcoin.

IOCs:

Hash: d4d3f5b4676925fe50982f7cc1090c59935588b554128bfac8a0448ed1e76ff4

File extension: [base64] ID [base64].lock

Ransom note text:

 All your files have beenencrypted!
All your files have been encrypted due to a security problemwith your PC. If you want to restore them, write us to the e-mail d_dukens@aol.com or d_dukens@bitmessage.ch
Write this ID in the title of your message
In case of no answer in 24 hours write us to theese e-mails: d_dukens@aol.com or d_dukens@bitmessage.ch
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you thedecryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb (nonarchived), and files should not contain valuable information.
(databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. Youhave to register, click 'Buy bitcoins', and select the seller bypayment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginnersguide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software,it may cause permanent data loss.
Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.

{{IDENTIFIER}}
Your ID [redacted]

Email addresses used in ransom notes:

jekr@aol[.]com
stnsatan@aol[.]com
Satan-Stn@bitmessage[.]ch
enigmax_x@aol[.]com
djekr@aol[.]com
jajanielse@aol[.]com
jajanielse@bitmessage[.]ch
d_dukens@aol[.]com
d_dukens@bitmessage[.]ch

Ransom note file name: ReadMe.TxT