LockCrypt 2.0 Ransomware
Posted: June 5, 2018
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 281 |
| First Seen: | June 5, 2017 |
|---|---|
| Last Seen: | March 30, 2023 |
| OS(es) Affected: | Windows |
The LockCrypt 2.0 Ransomware is a new build of the LockCrypt Ransomware, which encrypts your files and holds them for a ransom. Users should, instead of paying the criminal, use backups for recovery, whenever they're available. A majority of anti-malware products also are detecting this threat accurately and may delete the LockCrypt 2.0 Ransomware without needing any other assistance, which is recommended, in light of the limited decryption solutions for this update.
The Lock on Your Files is Getting Stronger
Threat actors administrating the LockCrypt Ransomware campaign of 2017 are giving their file-locking Trojan an upgrade that enhances its capability for causing lasting file damage significantly. The first notable update to this threat's campaign, the LockCrypt 2.0 Ransomware, began appearing in public threat databases in the last week of May. Some of its characteristics also provide more evidence of how its authors are infecting the Windows systems: most likely, by compromising them with brute-force attacks.
Brute-force hacking tools take advantage of mismanagement of login credentials, such as using default usernames or passwords, for helping criminals sign into a PC remotely. They, then, enable RDP features for gaining complete control for installing and running the LockCrypt 2.0 Ransomware. Unlike file-locking Trojans whose designs lead their victims into launching them unintentionally, the LockCrypt 2.0 Ransomware displays a local UI while it searches for files that it locks with the AES-256 encryption. The LockCrypt 2.0 Ransomware also protects the AES-256 with an internal, RSA-2048 key, which malware analysts are highlighting as being a new change for this version of the Trojan.
The Trojan appends '.BI_ID' extensions and ID numbers for its victims onto each file that it encrypts. When the file-locking routine finishes, the LockCrypt 2.0 Ransomware closes its encryption results UI and creates a Notepad TXT file with the threat actor's ransom demands. The contents include a typical, Bitcoin-based ransom demand and an e-mail for providing negotiation details and, potentially, a free sample of the decryptor. However, they also use a minor social engineering tactic, by pretending that the encryption damage is from an unrelated 'unknown virus,' instead of from the authors of the note.
Patching the Weaknesses that a Trojan's Patch Might Exploit
Using password and username combinations with sophisticated strings will remove many of the dangers associated with brute-force attacks by remote attackers. Malware researchers also emphasize having good security practices against related infection vectors for file-locking Trojans, which include e-mail attachments using macro-based exploits, website-hosted exploit kits using JavaScript and Flash vulnerabilities, and unsafe downloads, such as torrents.
The LockCrypt 2.0 Ransomware's changes to its cryptography mechanisms mean that old decryption solutions are no longer applicable to this version of the Trojan. Ideal protection from the LockCrypt 2.0 Ransomware, or its earlier, LockCrypt Ransomware build, includes keeping backups on other devices for letting users recover their media without requiring any solution to the encryption. RDP attacks may compromise network-accessible drives, and malware experts recommend saving your files to either password-secured cloud storage servers or detachable storage.
Traditionally, criminals uninstall the original, file-locking Trojan after the success of a brute-force-based RDP attack. However, any compromised PC always should undergo scans from anti-malware products for guaranteeing the deletion of the LockCrypt 2.0 Ransomware, as well as that of possibly related threats.
The update to the LockCrypt 2.0 Ransomware is more substantial than the usual tweaks to ransom notes that file-locking Trojans are most well-known for delivering. As long as criminals can generate money by imprisoning digital media effectively, it's never a safe time to forget to keep your files secure and copied.
Update - 09/26/2018
As of mid-late September, threat actors are distributing a variant of the LockCrypt 2.0 Ransomware. This version of the family, the '.BDKR File Extension' Ransomware, changes the extension of any blocked files to 'bdkr.' The '.BDKR File Extension' Ransomware also updates the ransoming message slightly, such as by changing the e-mail address, although the note remains in a TXT format. Although many AV programs aren't identifying the '.BDKR File Extension' Ransomware variant's family correctly, most of them should, still, block it as being a danger to your computer.
The '.BDKR File Extension' Ransomware's executables are using one of two names: 'fcr' or 'searchfiles.' The former is an abbreviation that malware researchers connect to sharing files via compressed torrents previously, and may indicate that the criminals are using torrent networks for circulating this file-locker Trojan out to its victims.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.