Home Malware Programs Ransomware LockCrypt 2.0 Ransomware

LockCrypt 2.0 Ransomware

Posted: June 5, 2018

Threat Metric

Threat Level: 8/10
Infected PCs: 281
First Seen: June 5, 2017
Last Seen: March 30, 2023
OS(es) Affected: Windows

The LockCrypt 2.0 Ransomware is a new build of the LockCrypt Ransomware, which encrypts your files and holds them for a ransom. Users should, instead of paying the criminal, use backups for recovery, whenever they're available. A majority of anti-malware products also are detecting this threat accurately and may delete the LockCrypt 2.0 Ransomware without needing any other assistance, which is recommended, in light of the limited decryption solutions for this update.

The Lock on Your Files is Getting Stronger

Threat actors administrating the LockCrypt Ransomware campaign of 2017 are giving their file-locking Trojan an upgrade that enhances its capability for causing lasting file damage significantly. The first notable update to this threat's campaign, the LockCrypt 2.0 Ransomware, began appearing in public threat databases in the last week of May. Some of its characteristics also provide more evidence of how its authors are infecting the Windows systems: most likely, by compromising them with brute-force attacks.

Brute-force hacking tools take advantage of mismanagement of login credentials, such as using default usernames or passwords, for helping criminals sign into a PC remotely. They, then, enable RDP features for gaining complete control for installing and running the LockCrypt 2.0 Ransomware. Unlike file-locking Trojans whose designs lead their victims into launching them unintentionally, the LockCrypt 2.0 Ransomware displays a local UI while it searches for files that it locks with the AES-256 encryption. The LockCrypt 2.0 Ransomware also protects the AES-256 with an internal, RSA-2048 key, which malware analysts are highlighting as being a new change for this version of the Trojan.

The Trojan appends '.BI_ID' extensions and ID numbers for its victims onto each file that it encrypts. When the file-locking routine finishes, the LockCrypt 2.0 Ransomware closes its encryption results UI and creates a Notepad TXT file with the threat actor's ransom demands. The contents include a typical, Bitcoin-based ransom demand and an e-mail for providing negotiation details and, potentially, a free sample of the decryptor. However, they also use a minor social engineering tactic, by pretending that the encryption damage is from an unrelated 'unknown virus,' instead of from the authors of the note.

Patching the Weaknesses that a Trojan's Patch Might Exploit

Using password and username combinations with sophisticated strings will remove many of the dangers associated with brute-force attacks by remote attackers. Malware researchers also emphasize having good security practices against related infection vectors for file-locking Trojans, which include e-mail attachments using macro-based exploits, website-hosted exploit kits using JavaScript and Flash vulnerabilities, and unsafe downloads, such as torrents.

The LockCrypt 2.0 Ransomware's changes to its cryptography mechanisms mean that old decryption solutions are no longer applicable to this version of the Trojan. Ideal protection from the LockCrypt 2.0 Ransomware, or its earlier, LockCrypt Ransomware build, includes keeping backups on other devices for letting users recover their media without requiring any solution to the encryption. RDP attacks may compromise network-accessible drives, and malware experts recommend saving your files to either password-secured cloud storage servers or detachable storage.

Traditionally, criminals uninstall the original, file-locking Trojan after the success of a brute-force-based RDP attack. However, any compromised PC always should undergo scans from anti-malware products for guaranteeing the deletion of the LockCrypt 2.0 Ransomware, as well as that of possibly related threats.

The update to the LockCrypt 2.0 Ransomware is more substantial than the usual tweaks to ransom notes that file-locking Trojans are most well-known for delivering. As long as criminals can generate money by imprisoning digital media effectively, it's never a safe time to forget to keep your files secure and copied.

Update - 09/26/2018

As of mid-late September, threat actors are distributing a variant of the LockCrypt 2.0 Ransomware. This version of the family, the '.BDKR File Extension' Ransomware, changes the extension of any blocked files to 'bdkr.' The '.BDKR File Extension' Ransomware also updates the ransoming message slightly, such as by changing the e-mail address, although the note remains in a TXT format. Although many AV programs aren't identifying the '.BDKR File Extension' Ransomware variant's family correctly, most of them should, still, block it as being a danger to your computer.

The '.BDKR File Extension' Ransomware's executables are using one of two names: 'fcr' or 'searchfiles.' The former is an abbreviation that malware researchers connect to sharing files via compressed torrents previously, and may indicate that the criminals are using torrent networks for circulating this file-locker Trojan out to its victims.

Loading...