Severity scale:  
  (95/100)

LockCrypt ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

LockCrypt is a ransomware virus that has several versions that can be either decryptable or not

LockCrypt ransom note

Questions about LockCrypt ransomware virus

LockCrypt is a malicious ransomware virus that originally appends .lock, .1btc, .mich, .badnews and other file extensions to targeted files. It has been updated several times, and the latest update came at the end of summer 2018. The ransomware that has been actively distributed via Remote Desktop Services (RDS). The initial version is known for targeting enterprise servers, thus raising the chances of collecting huge ransoms. The other variants are oriented to individual PC users. Following the encryption, LockCrypt ransomware drops a ReadMe.txt file on the desktop and demands for a ransom in Bitcoins. Fortunately, some versions are already decryptable.

Name of the malware LockCrypt
Classification  Ransomware
Danger level High
Main dangers Data and money loss, system's crash, installation of spyware and worm. 
Main symptoms All personal files are locked with .lock, .1btc or .mich file extension. ReadMe.txt file available on the desktop
Distribution methods RDP brute-force attacks, RaaS, 
Countries targeted US, UK, South Africa, India, and the Philippines
Download Reimage anti-malware and run a full system scan with it. 

In the middle of April, 2018, ransomware researchers finally managed to crack the LockCrypt code[1] and developed a free decryptor. Thouse who have been affected by this ransomware should contact Michael Gillespie (@demonslay335)  ransomware researcher for decrypting the files. But before that, make sure that you have initiated LockCrypt remove successfully. Use Reimage, Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security to perform a full system scan.

The LockCrypt ransomware has been cracked after the researcher detected a weakness in the encryption algorithm. According to the latest reports, this piece of malware did not reach mainstream distribution since it narrowed the target to organizations. Crooks found it easy to attack unprotected RDP and initiate brute-force attacks. However, the unprofessional design allowed white hats to find a way to decode it. 

Following data encryption,[2] LockCrypt ransomware drops a ReadMe.txt file on the desktop, and this file provides an explanation of what has happened. The ransomware informs the victim that all data has been encrypted and that in order to reverse the encryption the victim has to pay for decryption. The ransom note doesn’t reveal the exact price that the victim has to pay; it only commands the victim to write to:

  • d_dukens@aol.com,
  • d_dukens@bitmessage.ch,
  • enigmax_x@aol.com,
  • enigmax_x@bitmessage.ch,
  • BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage.ch.

The full text of the ransom note:

All your files have been encrypted due to the security problem with your PC. If you want to restore them, write us to the e-mail support: enigmax_x@aol.com or enigmax_x@bitmessage.ch
Write this ID in the title of your message
In case of no answer in 24 hours write us to these e-mails support: enigmax_x@aol.com or enigmax_x@bitmessage.ch
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us.

According to the criminals, the price of the ransom depends on how fast the victim manages to reach out to the culprits. The attackers suggest decrypting three small files for free to prove that they have the decryption tool and that files are not permanently corrupted and that there is no need to consider LockCrypt ransomware removal. The total size of files to test the decryption should be no larger than 10Mb (non-archived) and, according to frauds, “should not contain valuable information.”

If you were infected with this ransomware variant, we suggest you remove LockCrypt using anti-malware software such as Reimage and try to recover your files using alternative methods. However, chances to restore data using third-party software is not high because ransomware is designed to delete Shadow Volume Copies.

LockCrypt ransomware virus

LockCrypt virus appends .1btc file extension since February 2018

At the end of February 2018, cybersecurity experts detected a new version of infamous LockCrypt Ransomware, which is also disseminated via accessible Remote Desktop Services. Although its behavior coincides with the ancestor, the latest version uses base64 encryption strategy and appends .1btc file extension to each locked file.

After successful file encryption, the .1btc file extension virus generates a text file named as Restore Files.TxT, which contains victim’s ID and detailed instructions on how to make the payment. The victim is asked to contact the extortionists within 24 hours via email Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch. According to the extortionists, the price for a decryption key depends on how fast the victim communicates them, though based on the file extension appended, they may demand 1 Bitcoin.[3]

Unfortunately, the .1btc file extension ransomware is not decryptable for free. One of the ways to get your files back is to pay the ransom and expect that criminals will send you a key. However, the better idea is to remove .1btc file extension virus with Reimage or similar anti-virus tool and try to decrypt files using alternative methods.

To prevent brute-force attacks via Remote Desktop Services when hackers login to a target computer and execute the ransomware, it’s a must to lock the service correctly. The PC running Remote Desktop Services should be placed behind VPNs to prevent unauthorized access of those who don’t have VPN accounts connected to your network.

The undecryptable version of ransomware emerged on June 2018

It seems that cyber criminals cannot forgive malware researchers from breaking ransomware's code. They created a brand new variant of LockCrypt that has improved functionality. The virus uses a combination of AES-256 and RSA-2048 encryption algorithms to lock various files on the affected computer. The AES key is used for encryption and saved in C:\Windows\DECODE.KEY directory. This DECODE.KEY and a private RSA key are needed for file decryption.

However, the analysis showed that malware might fail to save DECODE.KEY, and it does not check if this procedure is completed correctly. Therefore, if this file is missing, the decryption of files is impossible. This is a clear proof that hackers do not have intentions to recover the files, so you should not take a risk and pay the demanded ransom.

LockCrypt new version

During the encryption procedure, malware appends a unique file extension id-.BI_D, where the ID stands for a unique identification number that is given by ransomware for each of the victims. Therefore, after the cyber attack, a corrupted .png file might look like this filename.png id-R4ohq2idY4.BI_D.

Following the encryption, LockCrypt ransomware downloads a ransom note called How To Restore Files.txt where victims are asked to contact criminals via bog_decryptor@aol.com and pay asked amount of Bitcoins. People who are interested in this order have to send DECODE.KEY and 2-3 encoded files:

Important !!!
Your personal id – [redacted]
Warning: all your files are infected with an unknown virus.
To decrypt your files, you need to contact at big_decryptor@aol.com
The decoder card is received by bitcoin.
You can buy bitcoins from the following links://blockchain.info/wallet
Do not try to restore files your self, this will kead to the loss of files forever
GUARANTEES! ! ! 
You can send us 2-3 encoded files.
And attach to the letter a file from the folder c:\windows\DECODE.KEY for testing.

However, security specialists do not recommend following such orders. It is recommended to remove LockCrypt ransomware virus to clean and protect your computer.

The LockCrypt might be created using Satan RaaS code

Satan RaaS (Ransomware-as-Service)[4] portal[5] was launched in January 2017 and offers beginners to create their customized version of the Satan ransomware. However, the resent analysis shown that LockCrypt ransomware might be created using this source code.

In November, researchers also tell that IP address that might be used by the attacks (212.111.192.203) is associated with the Ministry of Education and Science of Ukraine. However, there’s no secret that criminals might manipulate their IP address in order to hide from legit punishment. Other research information claims that LockCrypt sends information about the affected device to a remote server in Iran.

Despite the fact cyber criminals started their illegal project by using Satan’s source code, they managed to develop a strong file-encrypting virus. It has already affected business in the US, UK[6], South Africa, India, and the Philippines.[7]

According to the latest data, LockCrypt uses a strong and unbreakable encryption to corrupt files on the affected device. Currently, there’s no way to restore encrypted files due to the ransomware’s ability to delete Shadow Volume Copies.

The crypto-virus also makes modifications to the system to boot with system startup and runs a batch file to kill non-core processes related to computer’s security and data recovery possibilities. Therefore, it’s undoubtedly strong file-encrypting malware.

However, victims of the ransomware are not advised to contact criminals and pay the ransom. They might blackmail you into paying more money and never provide decryption key. Thus, you should take care of LockCrypt removal rather than buying Bitcoins and transferring them to frauds.

RDP brute-force attacks are used for getting into computers

Differently than the majority of file-encrypting viruses, LockCrypt’s distribution does not rely on malicious spam emails. Authors of the ransomware use Remote Desktop Protocol (RDP) brute-force attacks that allows infecting unsecured enterprise servers. To avoid these attacks, you should follow these tips:

  • set hard to guess passwords;
  • control the number of administrator accounts;
  • use different account name for Administrator account;
  • enable two-factor authentication;
  • set the number of failed login is to lock the user if she/he enters the wrong credentials.

Instructions on how to remove LockCrypt from affected machines

You should remove LockCrypt virus by following instructions given below and delete the virus while in Safe Mode with Networking. Reboot your PC into the above-mentioned mode and start anti-malware or anti-spyware software to remove the virus for you. We recommend using Reimage or Plumbytes Anti-MalwareNorton Internet Security for this task.

Please do not try to initiate manual LockCrypt ransomware removal – ransomware viruses are too sophisticated and dangerous and inexperienced computer users simply can overlook some of its malicious components. It goes without saying that leaving them on the system poses a threat to user’s privacy and computer’s security.

Offer
We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Malwarebytes
Alternate Software
Malwarebytes

To remove LockCrypt virus, follow these steps:

Remove LockCrypt using Safe Mode with Networking

Delete the Lock Crypt virus according to the guidance provided below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove LockCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LockCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove LockCrypt using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that LockCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Restore your files from a backup, or, if you do not own one, try these options.

If your files are encrypted by LockCrypt, you can use several methods to restore them:

Recover files with a help of Data Recovery Pro

Data Recovery Pro proved to be a useful tool for those that are dealing with piles of corrupted files. You might want to test this tool on files locked by the indicated ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by LockCrypt ransomware;
  • Restore them.

Try Windows Previous Versions feature

If System Restore has been enabled before ransomware attack, you can travel back in computer's time and copy the most important files.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

If ransomware failed to delete Shadow Volume Copies, this tool will help you to recover some of the files encrypted by LockCrypt:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References