One of the LockCrypt ransomware variants is officially defeated by Bitdefender team
The notorious LockCrypt virus operates as several different variants and encrypts data appending different file extensions. One of those versions uses .1btc appendix and is now decryptable, as security team from Bitdefender released official decoder that can be used to recover all personal data safely. You can download it from the official website.
Unfortunately, .1btc extension was used for an older version of the virus that was active between February and May 2018, and hackers already moved on to a new variant – it locks files by appending .bi_d extension and is there is no known method to recover data that is affected.
LockCrypt was first spotted in the middle of 2017 and focused on various businesses. The primary distribution tactic used by hackers was the brute-force attacks on Remote Desktop Services, i.e., weak passwords were merely guessed by attackers. The attackers then installed crypto-malware manually and spread it to networked computers.
After infiltration and malicious code execution, victims could see a text file on their desktop and inside every folder which contained encrypted data. Ransom notes used one of the following names:
- Restore Files.txt
- How To Restore Files.txt
Apart from the now decryptable version, LockCrypt also used .lock (used upon initial release), .2018, and .mich extensions. Despite not having an official decryptor, users could contact Michael Gillespie for file recovery. As of now, the only variant that can not be decoded remains .bi_d.
There is not much known about attackers themselves, apart a couple of things. The Command & Control server used is located in Iran. Security experts also speculated that same hacker group was responsible for previously distributing Satan ransomware.
LockCrypt authors developed ransomware with significant flaws
Security researchers at Malwarebytes labs claim that claim that LockCrypt is unprofessional and has many flaws. The fundamental weakness is that developers used their own encryption scheme instead of following appropriate encryption procedures, ignoring verified methods.
Also, because the crypto-malware is manually installed by hackers, it does not use any sophisticated techniques to grant itself administrative privileges, which are vital for its correct code execution. Security experts came to the following conclusion:
LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional.
Considering the number of flaws the virus has, it is not surprising that the official tool was created. However, it will only serve a purpose to those who still have files encrypted with .1btc. It is unlikely that this version will ever be used again by hackers though.
Protect yourself from ransomware attacks
As the virus used brute force attacks on unprotected RDP to inject ransomware's binary manually, it is vital to make sure that computers running it are protected accordingly. No such machines should be directly connected to the internet. Additionally, placing all devices using remote desktop services behind VPN would only allow those with VPN accounts to access computers. Finally, strong passwords should be used instead of “qwerty” or “pass123,” as these are easily guessable.
There are also several other security precaution tips you should use:
- Security software is a must for an all-around protected system. Many AV engines are capable of stopping most ransomware viruses before they can inflict any damage and lock up files;
- Windows updates, as well as third-party software updates, should be installed immediately upon release. Hackers often use exploit kits to abuse bugs in the software that expose vulnerabilities;
- Use strong passwords and do not use the same password for multiple accounts;
- Scan attachments and executables with anti-malware software before opening them;
- Avoid spam emails;
- Backup your files in case they do get encoded by ransomware. Back-ups are the easiest way to recover from cyber-attack.