Home Malware Programs Ransomware LockCrypt Ransomware

LockCrypt Ransomware

Posted: June 5, 2017

Threat Metric

Threat Level: 8/10
Infected PCs: 281
First Seen: June 5, 2017
Last Seen: March 30, 2023
OS(es) Affected: Windows

The LockCrypt Ransomware is a Trojan that encrypts both the filenames and internal data of media, such as pictures or documents. It uses this file-locking attack to justify asking for Bitcoin payments for its decryptor, which malware experts advise against using until other recovery options are exhausted. Conventional anti-malware tools also should remove the LockCrypt Ransomware as soon as they detect it, depriving it of an opportunity to damage any media.

Double the Encryption for Twice as Many Problems

Trojans that make their profits out of blocking your ability to use your files can do so in more than one way, some of which are more challenging than others technically. The baseline encryption of the body of a file's data is the technique that threat actors favor currently, but some Trojans also can use filename changes, either as a substitute or a supplement. The LockCrypt Ransomware is a recent example of Trojans using both methods to maximize the psychological impact on those that they attack.

After infecting the PC and creating a custom ID number, the LockCrypt Ransomware scans the desktop and file directories for content to attack, which can include documents, pictures, spreadsheets, archives and other formats. The LockCrypt Ransomware encrypts any media fitting its parameters with an algorithm malware experts have yet to verify, although AES is the standard for most Trojan campaigns.

Although this basic encryption routine is what makes your files unreadable by related programs, the LockCrypt Ransomware also uses a second kind of encryption, solely on the filename. It appends the ID number and the '.lock' extension onto the end of this pseudo-random string. The overall result is a file that's only identifiable by its location and size theoretically, which enhances the victim's confusion and inability to determine the extent of the data loss.

Resolving Security Problems without a Trojan's Advice

The LockCrypt Ransomware collects money for its campaign through a recycled Notepad message that previous Trojan attacks also deliver. Significant aspects of the text include a time limit, withholding of the amount of the ransom fee (which the LockCrypt Ransomware's threat actors claim will increase over time), and the use of the Bitcoin cryptocurrency to prevent refunds. Any PC users in need of advanced data recovery should refrain from renaming or otherwise modifying any locked content until a third-party decryption software, or anti-malware researchers can analyze it. Backups also are highly viable means of retrieving any media that file-encoding Trojans lock.

Finished samples of the LockCrypt Ransomware date no further back than June of 2017 with no relatives in evidence (such as Hidden Tear, Troldesh, or the Jigsaw Ransomware) to assert an older ancestry. Malware experts recommend avoiding e-mail attachments with suspicious content as a dominant infection vector for file-encrypting threats, both for recreational PC users and business networks. Keeping your anti-malware programs open and updated should let most victims remove the LockCrypt Ransomware while preempting the encryption attack.

The LockCrypt Ransomware isn't the first Trojan to try to manipulate money into a Bitcoin wallet with selective lies and time pressure. Until PC owners learn to back their files up as a matter of habit, malware experts expect to monitor more low-sophistication but high-impact encryption attacks.

Related Posts

Loading...