View Full Version : Locker Ransomware Support Topic

This is the support topic for the Locker Ransomware. The Locker ransomware has a very large install base that has affected many people globally.

There is a detailed guide on Locker, how it works, and what you should do if you are infected at the below link:

Locker Ransomware Information Guide and FAQ (http://www.bleepingcomputer.com/virus-removal/locker-ransomware-information)

The Locker ransomware is a computer infection that silently runs on a victim's computer until May 25 Midnight local time at which point it became active. Once active, it will begin to encrypt the data files on the computer with what appears to be RSA encryption. When encrypting the data files it will not change the extension of the file. Therefore, the only way to determine if the file is encrypted is by trying to open it and being told that the file is corrupt or not usable.

After the Locker ransomware encrypts your data it will delete your shadow volume copies and then display the Locker interface. This interface will be titled Locker and then a random version number. This version number does not appear to have any significance. Some example titles are Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. This Locker screen will give you information on how to pay the ransom, your unique bitcoin address to send the ransom to, a list of encrypted files, and a page to check the status of your payment.

I've been infected with this thing and for the past two hours i've been searching for help but with no good luck.
It infected a lot of .jpg files and only one .docx file.
For the infected files it seems that the extension hasn't been modified.

Here's screenshots with the ransomware..



Is there a possible way to recover my files?.. It says that there's about 4585 of them are infected.
I have not removed or modified the malware yet.

I've opened task manager and went to the process location
Here's what i found:

I've Opened the data.% files with notepad and here's what i found:

data.aa0 listed all my infected files.
data.aa1 blank.
data.aa6 the bitcoin payment address key :12E6vVFawrVK8Gd7Rk3whQqVodhGvuTHgg

<RSAKeyValue><Modulus>rhMUIZAtCWDQeIIu01AQy813u41pOSTRDn9+6FpsEHwWfoIrcL gBd2oqqgeT2jFRQY3/4hvsd+uWTUOG9FPBtbx3yMI9ch6/+5dU8H4mZTFakCiab5nXvYNzqQ/lIB2OwOr6i8dkjyEr94LHUUg4i4XyFRjjjoWmUwW6ND0Hbt3kn N6/QiSafkvv7WTlM2aIQbxi349t79QFcr9nu3tS9eda6s+saUI34j FuQf2xob1YG2UXOMntBDgkuaso+JXrWhi1ze4ic7Ec1731IQy7 rfXMcxpxWFb7rIyZukBN5aoQrY+9rTpyC4Df+phJz/osBS0kSBm+ivadETT/nKQAYQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>
data.aa8 simply listed:

data.aa9 listed the date and time when my "key" expires.
data.aa11 blank.

I found a way of partially decrypting one of my photos using TORRENTUNLOCKER and an original uncrypted file.
Since my files weren't renamed to file.encrypted, i manually renamed one of my files to .encrypted and tried decrypting with TORRENTUNLOCKER and it actually worked!
But it seems that the file has been partialy damaged, the quality is compromised.. any help?

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Please submit a sample of an encrypted file here with a link to this topic: http://www.bleepingcomputer.com/submit-malware.php?channel=3

You can also submit samples of suspicious executables or any malware files that you suspect were involved in causing the infection. Doing that will be helpful with analyzing and investigating.

These are common locations malicious executables may be found: