New Locker Ransomware

Discussion in 'malware problems & news' started by WildByDesign, May 26, 2015.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    Locker Ransomware Information Guide and FAQ
    http://www.bleepingcomputer.com/virus-removal/locker-ransomware-information

    Locker ransomware hides until midnight on May 25th and then encrypts your data
    http://www.bleepingcomputer.com/for...ight-on-may-25th-and-then-encrypts-your-data/

    Locker Ransomware Support Topic
    http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-topic/



    Code:
    3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx

    Code:
    vssadmin.exe delete shadows /for=C: /all /quiet

    Code:
    wireshark,fiddler,netmon,procexp,processhacker,anvir,cain,nwinvestigatorpe,uninstalltool,regshot,installwatch,inctrl5,installspy,systracer,whatchanged,trackwinstall

    All of the quotes and information is from Lawrence Abrams (https://twitter.com/bleepincomputer) of Bleepingcomputer.com and the folks who have been assisting him in tracking down the details.
     
    Last edited: May 28, 2015
  2. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Last edited: May 26, 2015
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    My pleasure, it should be interesting.

    Some of the latest information is stating that the files being encrypted are being chosen with case sensitive strings. So it seems that .JPG files are not affected, while .jpg file are. We'll have to see more details as it develops.

    EDIT: Also, as we were mentioning in the other thread, it seems that a lot of users are just giving in and paying the ransom. Not good. But I guess people sometimes have to do things that they don't necessarily want to do. And it's a small enough ransom to make people come to that decision, I assume.
     
  4. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Yes, the matter of case sensitive file extensions is fascinating. I wouldn't have thought it would make any difference. Regarding paying the ransom I understand that some people have been hit a lot harder than others, and in this instance the ransom was quite low ( such nice guys :cool: ).

    Edit:

    From the bleeping.com thread...

    When the ransomware scans for file extensions, it is using a case sensitive string compare. This is why jpg extensions are encrypted, but JPG are not. It is only looking for jpg.
     
  5. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    The interesting thing about the lower ransom is that they could very well end up a lot richer in the end. The bad guys seem to be trying different things. It seems kind of sophisticated in way, like a social experiment with the lower ransom (compared to much higher ransom in past) and also the time bomb and all. I have a feeling that a larger percentage of users will pay up because of the lower ransom and likely the end result could mean higher profits in the end for the bad guys. But thankfully there are a lot of good guys banding together against these ransomware crooks.

    Yet, sloppy in a way with regards to the case sensitive file extensions.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's a link for info over at MalwareTips: http://malwaretips.com/blogs/remove-locker-virus/

    Appears both MBAM and HMP will remove the infection. Also possibility of recovering files using ShadowExplorer, Recura, and a few others.

    Also I did install Fiddler2 about a month ago. Maybe saved my butt on this one.
     
  7. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    Thanks for the link, itman. Lots of good information there. I've added the link to OP.
     
  8. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    What would be the best options for protecting a linux computer from these sort of encryptors.?
    Do they actually exist in the linux world.:doubt:
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Warning! From the MalwareTips site for anyone who wants to remove the malware.

    So far, it seems to be impossible to pay the ransom after deleting the virus.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    Not that I've heard of. But if you use Linux system for data storage and access that data from Windows machine, those files can get encrypted.
     
  11. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    15
    Just to correct some incorrect info.

    The malwaretips guide is not accurate. Not sure what's been going on there, but their information used to be more accurate than this.

    Locker does not change extensions, so the .encrypted part is incorrect. The targeted extension list is incorrect. It does not contain DECRYTP_INSTRUCTIONS.html or DECRYTP_INSTRUCTIONS.txt files.

    Looks like they just regurgitated their bitcryptor guide (which has wrong info as well), which is a copy of their torrentlocker guide.

    Mbam and Emsisoft does detect this ransomware. In fact most AV companies do. Can't confirm on surfright.

    Sometimes I feel like I am the only one who installs this crap before reporting on it.
     
  12. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Thanks for joining this thread. We are monitoring the discussion over at "bleeping" too.
     
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    Thanks for pointing out the inaccuracies within the malwaretips link, Lawrence. You're right, they most likely copy and pasted from their previous ransomware guides. Since there are multiple points of inaccuracies, I will remove the link from OP and just stick with bleepingcomputer information for the time being. Thank you.
     
  14. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    15
    I am happy to answer any questions here as well if any come up.

    This is an ugly one and seems to be wide spread. Not sure if its because of the way it was activated or because of large distribution.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here is something ugly to ponder.

    The payload for this bugger was time event triggered. It is also very likely that the trigger had been installed some time ago. Therefore, there is a strong possibility that a fairly recent (timeframe undetermined) backup image restore will not be a fix for this type of malware since the trigger is present in the image backup. It is highly likely that the malware creator has the trigger doing a check if current date and time greater than 5-25-2015 11:59 PM to activate it.

    This instance of the malware appears to have only targeted certain data file types. The next iteration of the malware might go after system files.
     
  16. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    15
    It wont go after system files. That would prevent the computer frmo starting. Their goal is to make money so they need your computer working properly.

    I also do not think locker was on the computer anymore. I think the downloader/zbot type infection was present and a command was pushed down to install the locker at midnight on May 25th.

    This same downloader that triggers the locker infection was also installing a darkcoin miner.
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    There are so many components to this which is what makes this quite intriguing. A lot of sophistication but also some sloppiness too, although I am sure that the next iterations of this ransomware will be even more precise.

    EDIT: I wanted to add to this that is is very amazing seeing all of the good guys coming together like that over at the bleepingcomputer.com threads, researchers and helpers from different (competing) vendors working together.
     
    Last edited: May 26, 2015
  18. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    15
    If I have learned one thing in life it is to surround yourself with people smarter than yourself...it just makes you look better :) Or stupider depending on how you look at it!

    In all seriousness, I 100% agree. It is amazing when you see competing companies working together. Fabian Wosar of Emsisoft, Erik and Mark Loman of Surfright, Nathan Scott, and many others are really smart people who care about security. It's a pleasure watching them dig into something.
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Lots of pain from this one world-wide: http://www.reddit.com/r/techsupport/comments/373wk0/locker_virus_similar_to_cryptolocker/

    Some interesting comments from that thread. Bottom line - it's not just those with a cracked version of Minecraft Extreme:

    STEAM
    Can we get a poll on who has and has updated/installed a game from Steam in the last week and a half?

    • 1a) Have, use regularly, and have installed either updates or games from Steam this week, not infected
    • 1b) Have, use regularly, and have installed either updates or games from Steam this week, infected
    • 2a) Have, use regularly, have not updated or installed, not infected
    • 2b) Have, use regularly, have not updated or installed, infected
    • 3a) Have, rarely open, not infected
    • 3b) Have, rarely open, infected
    • 4a) Do not have/What is? Steam, not infected
    • 4b) Do not have/What is? Steam, infected
    Give your answer, because this is the only possible common denominator I am seeing.
     
  20. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    15
    I've found the culprit. Appears to be from a cracked Minecraft supposedly by TeamExtreme.

    The innosetup file will launch MinecraftChecksumValidator.exe, which installs the downloader.

     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    One thing that surprises me is that so many users affected also happened to keep their external backup drives connected to their computers and were therefore also encrypted by Locker.
     
  22. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    1,442
    All of this serves as a caution for not downloading software on compromised websites. And one is urged to scan an executable before running it.

    An AE software should block any attempted silent install.
     
  23. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
    Yes, it's unfortunate that people didn't take the precaution of at least turning those drives off. Disconnecting is better still to protect them against power surges/failures.
     
    Last edited: May 28, 2015
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
  25. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,133
    Location:
    USA
Loading...