View Full Version : LOCKED Ransomware Support and Help Topic - Read_it.txt

ransomware .locked

Welcome to BC.

Are you saying that .locked extension has been appended to your files...i.e. <file name>.jpg.locked or <filename>.<original_extension>.locked

Is there any notice (message) which says something like..."Your files are locked and encrypted with a unique RSA-1024 key!"?

Did you find any ransom note? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file

I have the same issue here - files have .locked appended - desktop background change to warning and a read_it.txt on desktop explaining what to do:

Uh oh. It looks like your data has been the victim of the encryption thief. Your files have been encrypted with AES: search your drive for "locked" if you don't believe me . Unfortunately you're going to have to pay some money to get your files back and your fee is approximately $200 in US Dollars. I'll get right to the ugly details for that:

* You have 72 hours to make this happen as of 9/03/2016 8:36:32 AM. Otherwise, your files are lost for good. I will delete the necessary code for all time and I don't even have to revisit your machine to do it.
* You will be paying by Bitcoin. Don't worry, it is easy to figure out. Your fee is xxxxxxxxxxx BTC. Pay this amount precisely, or I might not know who it was that paid in order to rescue them.
* Use LocalBitcoins.com. It isn't hard to use, there are numerous ways to pay for my bitcoins on there, and most importantly, it is fast. Did I mention you have 72 hours?
* The address you will be sending the bitcoins to is 192awRvM4V8LS24GSHj6o3v2fVQ5QYh4pB .
* Then you will wait for me to get the unlock code for you. Your code will be shown here, http://let-me-help-you-with-that.webnode.com/ , under the amount you paid. This may take a day or so: you are on my schedule now http://www.bleepingcomputer.com/forums/public/style_emoticons/default/tongue.png
* Once you have the code, you can unlock your files as follows:
*** Go to your Start Menu
*** In the search field, type "cmd".
*** Right click the cmd program.
*** Click Run As Administrator (doesn't have to be but files might be missed otherwise)
*** Click Yes to allow it to run like that.
*** Type "cd C:\Users\simon"
*** Type "Decrypter.exe <Your Code>"

the figure xxxxxx is over $250 AUD
trying kaspersky rakhni decryptor says it found the decrypt key and is decrypting but all the files it decrypts are unreadable (i chose not to delete originals) - found this in the registry that does not look right:

"dhKcjZFO/B/XlllOLiPLNw=="="MMkJLJal6F9zJPSUf8rTwyLr+JU5jd0MNoITIlN0G+qCbr+ZYC eUFLiA4lZN5GgLIvvoP2Mr8cphlVMqiu2G3PIWhlhu+gGlgHiB pXDxUyw="
"DfvYUq32smB94ebUL8Nen4HIndU+NU6DOmPqvvoRlg0="="aj+9oTVUQJe/FfelOWac3kEByZ1Wbfsn+yHZuXNlKoOJ0U1K4CJLTzKMSbq6Wn a9"

Checked for files in the Program Data folder and there is nothing??

This sounds like it could potentially be new. I'm only aware of the EDA2 and HiddenTear projects using the ".locked" extension. The wording is different than the ransom notes they dropped by default, but since they were open-source projects, someone could have modified them. Otherwise, could be completely different.

We'll need sample files (preferably PNG), including clean copies if you can. Then, we need to find a sample of the malware for analysis.

Please run HitmanPro (http://www.bleepingcomputer.com/download/hitmanpro/) and upload the log (skip deletion of infections for now, we want a sample before cleaning it out) to a sharing service such as PasteBin or SendSpace, and post the link here for checking.

Also, if you could submit the Decrypter.exe. Please submit it to the submission links here (http://www.bleepingcomputer.com/submit-malware.php?channel=3) and here (http://www.bleepingcomputer.com/submit-malware.php?channel=170) with a link to this topic. If you could also upload it to SendSpace and send me a PM (do not post it here), I can try taking a look at if the decrypter gives any clues on the encryption scheme used.

I've decompiled the malware, and it looks based on EDA2. I'm not seeing a weakness so far, but I'll let Fabian/Nathan be the judge on that.