Locker Ransomware Information Guide and FAQ http://www.bleepingcomputer.com/virus-removal/locker-ransomware-information Locker ransomware hides until midnight on May 25th and then encrypts your data http://www.bleepingcomputer.com/for...ight-on-may-25th-and-then-encrypts-your-data/ Locker Ransomware Support Topic http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/ Code: 3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx Code: vssadmin.exe delete shadows /for=C: /all /quiet Code: wireshark,fiddler,netmon,procexp,processhacker,anvir,cain,nwinvestigatorpe,uninstalltool,regshot,installwatch,inctrl5,installspy,systracer,whatchanged,trackwinstall All of the quotes and information is from Lawrence Abrams (https://twitter.com/bleepincomputer) of Bleepingcomputer.com and the folks who have been assisting him in tracking down the details.
My pleasure, it should be interesting. Some of the latest information is stating that the files being encrypted are being chosen with case sensitive strings. So it seems that .JPG files are not affected, while .jpg file are. We'll have to see more details as it develops. EDIT: Also, as we were mentioning in the other thread, it seems that a lot of users are just giving in and paying the ransom. Not good. But I guess people sometimes have to do things that they don't necessarily want to do. And it's a small enough ransom to make people come to that decision, I assume.
Yes, the matter of case sensitive file extensions is fascinating. I wouldn't have thought it would make any difference. Regarding paying the ransom I understand that some people have been hit a lot harder than others, and in this instance the ransom was quite low ( such nice guys ). Edit: From the bleeping.com thread... When the ransomware scans for file extensions, it is using a case sensitive string compare. This is why jpg extensions are encrypted, but JPG are not. It is only looking for jpg.
The interesting thing about the lower ransom is that they could very well end up a lot richer in the end. The bad guys seem to be trying different things. It seems kind of sophisticated in way, like a social experiment with the lower ransom (compared to much higher ransom in past) and also the time bomb and all. I have a feeling that a larger percentage of users will pay up because of the lower ransom and likely the end result could mean higher profits in the end for the bad guys. But thankfully there are a lot of good guys banding together against these ransomware crooks. Yet, sloppy in a way with regards to the case sensitive file extensions.
Here's a link for info over at MalwareTips: http://malwaretips.com/blogs/remove-locker-virus/ Appears both MBAM and HMP will remove the infection. Also possibility of recovering files using ShadowExplorer, Recura, and a few others. Also I did install Fiddler2 about a month ago. Maybe saved my butt on this one.
What would be the best options for protecting a linux computer from these sort of encryptors.? Do they actually exist in the linux world.
Warning! From the MalwareTips site for anyone who wants to remove the malware. So far, it seems to be impossible to pay the ransom after deleting the virus.
Not that I've heard of. But if you use Linux system for data storage and access that data from Windows machine, those files can get encrypted.
Just to correct some incorrect info. The malwaretips guide is not accurate. Not sure what's been going on there, but their information used to be more accurate than this. Locker does not change extensions, so the .encrypted part is incorrect. The targeted extension list is incorrect. It does not contain DECRYTP_INSTRUCTIONS.html or DECRYTP_INSTRUCTIONS.txt files. Looks like they just regurgitated their bitcryptor guide (which has wrong info as well), which is a copy of their torrentlocker guide. Mbam and Emsisoft does detect this ransomware. In fact most AV companies do. Can't confirm on surfright. Sometimes I feel like I am the only one who installs this crap before reporting on it.
Thanks for pointing out the inaccuracies within the malwaretips link, Lawrence. You're right, they most likely copy and pasted from their previous ransomware guides. Since there are multiple points of inaccuracies, I will remove the link from OP and just stick with bleepingcomputer information for the time being. Thank you.
I am happy to answer any questions here as well if any come up. This is an ugly one and seems to be wide spread. Not sure if its because of the way it was activated or because of large distribution.
Here is something ugly to ponder. The payload for this bugger was time event triggered. It is also very likely that the trigger had been installed some time ago. Therefore, there is a strong possibility that a fairly recent (timeframe undetermined) backup image restore will not be a fix for this type of malware since the trigger is present in the image backup. It is highly likely that the malware creator has the trigger doing a check if current date and time greater than 5-25-2015 11:59 PM to activate it. This instance of the malware appears to have only targeted certain data file types. The next iteration of the malware might go after system files.
It wont go after system files. That would prevent the computer frmo starting. Their goal is to make money so they need your computer working properly. I also do not think locker was on the computer anymore. I think the downloader/zbot type infection was present and a command was pushed down to install the locker at midnight on May 25th. This same downloader that triggers the locker infection was also installing a darkcoin miner.
There are so many components to this which is what makes this quite intriguing. A lot of sophistication but also some sloppiness too, although I am sure that the next iterations of this ransomware will be even more precise. EDIT: I wanted to add to this that is is very amazing seeing all of the good guys coming together like that over at the bleepingcomputer.com threads, researchers and helpers from different (competing) vendors working together.
If I have learned one thing in life it is to surround yourself with people smarter than yourself...it just makes you look better Or stupider depending on how you look at it! In all seriousness, I 100% agree. It is amazing when you see competing companies working together. Fabian Wosar of Emsisoft, Erik and Mark Loman of Surfright, Nathan Scott, and many others are really smart people who care about security. It's a pleasure watching them dig into something.
Lots of pain from this one world-wide: http://www.reddit.com/r/techsupport/comments/373wk0/locker_virus_similar_to_cryptolocker/ Some interesting comments from that thread. Bottom line - it's not just those with a cracked version of Minecraft Extreme: STEAM Can we get a poll on who has and has updated/installed a game from Steam in the last week and a half? 1a) Have, use regularly, and have installed either updates or games from Steam this week, not infected 1b) Have, use regularly, and have installed either updates or games from Steam this week, infected 2a) Have, use regularly, have not updated or installed, not infected 2b) Have, use regularly, have not updated or installed, infected 3a) Have, rarely open, not infected 3b) Have, rarely open, infected 4a) Do not have/What is? Steam, not infected 4b) Do not have/What is? Steam, infected Give your answer, because this is the only possible common denominator I am seeing.
I've found the culprit. Appears to be from a cracked Minecraft supposedly by TeamExtreme. The innosetup file will launch MinecraftChecksumValidator.exe, which installs the downloader.
One thing that surprises me is that so many users affected also happened to keep their external backup drives connected to their computers and were therefore also encrypted by Locker.
All of this serves as a caution for not downloading software on compromised websites. And one is urged to scan an executable before running it. An AE software should block any attempted silent install.
Yes, it's unfortunate that people didn't take the precaution of at least turning those drives off. Disconnecting is better still to protect them against power surges/failures.
Lawrence has added a very detailed and well organized Information Guide and FAQ for this new Locker Variant: http://www.bleepingcomputer.com/virus-removal/locker-ransomware-information