Severity scale:  
  (95/100)

LockCrypt ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

LockCrypt ransomware has been cracked due to  the weakness in cryptography

LockCrypt ransom note

Questions about LockCrypt ransomware virus

LockCrypt is file-encrypting ransomware that is being actively distributed via Remote Desktop Services (RDS). The initial version is known for appending .lock file extension to encrypted files, while the other two variants switched to .1btc and .mich file extensions. The .lock file extension virus has been targeting enterprise servers, thus raising the chances of collecting a huge ransom. The other variants are oriented to individual PC users. Following the encryption, LockCrypt ransomware drops a ReadMe.txt file on the desktop and demands for a ransom in Bitcoins. 

Name of the malware LockCrypt
Classification  Ransomware
Danger level High
Main dangers Data and money loss, system's crash, installation of spyware and worm. 
Main symptoms All personal files are locked with .lock, .1btc or .mich file extension. ReadMe.txt file available on the desktop
Distribution methods RDP brute-force attacks, RaaS, 
Countries targeted US, UK, South Africa, India, and the Philippines
Download Reimage anti-malware and run a full system scan with it. 

In the middle of April, 2018, ransomware researchers finally managed to crack the LockCrypt code[1] and developed a free decryptor. Thouse who have been affected by this ransomware should contact Michael Gillespie (@demonslay335)  ransomware researcher for decrypting the files. But before that, make sure that you have initiated LockCrypt  remove successfully. Use Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware to perform a full system scan.

The LockCrypt ransomware has been cracked after the researcher detected a weakness in the encryption algorithm. According to the latest reports, this piece of malware did not reach mainstream distribution since it narrowed the target to organizations. Crooks found it easy to attack unprotected RDP and initiate brute-force attacks. However, unprofessional design allowed white hats to find a way to decode it. 

Following data encryption,[2] LockCrypt ransomware drops a ReadMe.txt file on the desktop, and this file provides an explanation of what has happened. The ransomware informs the victim that all data has been encrypted and that in order to reverse the encryption the victim has to pay for decryption. The ransom note doesn’t reveal the exact price that victim has to pay; it only commands the victim to write to:

  • d_dukens@aol.com,
  • d_dukens@bitmessage.ch,
  • enigmax_x@aol.com,
  • enigmax_x@bitmessage.ch.

The full text of the ransom note:

All your files have been encrypted due to the security problem with your PC. If you want to restore them, write us to the e-mail support: enigmax_x@aol.com or enigmax_x@bitmessage.ch
Write this ID in the title of your message
In case of no answer in 24 hours write us to these e-mails support: enigmax_x@aol.com or enigmax_x@bitmessage.ch
You have to pay for decryption in Bitcoins. The price dependson how fast you write to us.

According to the criminals, the price of the ransom depends on how fast the victim manages to reach out to the culprits. The attackers suggest decrypting three small files for free to prove that they have the decryption tool and that files are not permanently corrupted and that there is no need to consider LockCrypt ransomware removal. The total size of files to test the decryption should be no larger than 10Mb (non-archived) and, according to frauds, “should not contain valuable information.”

If you were infected with this ransomware variant, we suggest you remove LockCrypt using anti-malware software such as Reimage and try to recover your files using alternative methods. However, chances to restore data using third-party software is not high because ransomware is designed to delete Shadow Volume Copies.

LockCrypt ransomware virus

.1btc file extension variant of LockCrypt virus

At the end of February 2018, cybersecurity experts detected a new version of infamous LockCrypt Ransomware, which is also disseminated via accessible Remote Desktop Services. Although its behavior coincides with the ancestor, the latest version uses base64 encryption strategy and appends .1btc file extension to each locked file.

After successful file encryption, the .1btc file extension virus generates a text file named as Restore Files.TxT, which contains victim’s ID and detailed instructions on how to make the payment. The victim is asked to contact the extortionists within 24 hours via email Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch. According to the extortionists, the price for a decryption key depends on how fast the victim communicates them, though based on the file extension appended, they may demand 1 Bitcoin.[3]

Unfortunately, the .1btc file extension ransomware is not decryptable for free. One of the ways to get your files back is to pay the ransom and expect that criminals will send you a key. However, the better idea is to remove .1btc file extension virus with Reimage or similar anti-virus tool and try to decrypt files using alternative methods.

To prevent brute-force attacks via Remote Desktop Services when hackers login to a target computer and execute the ransomware, it’s a must to lock the service correctly. The PC running Remote Desktop Services should be placed behind VPNs to prevent unauthorized access of those who don’t have VPN accounts connected to your network.

The LockCrypt ransomware might be related to Satan RaaS

Satan RaaS (Ransomware-as-Service)[4] portal[5] was launched in January 2017 and offers beginners to create their customized version of the Satan ransomware. However, the resent analysis shown that LockCrypt ransomware might be created using this source code.

On November, researchers also tell that IP address that might be used by the attacks (212.111.192.203) is associated with the Ministry of Education and Science of Ukraine. However, there’s no secret that criminals might manipulate their IP address in order to hide from legit punishment. Other research information claims that LockCrypt sends information about the affected device to a remote server in Iran.

Despite the fact cyber criminals started their illegal project by using Satan’s source code, they managed to develop a strong file-encrypting virus. It has already affected business in the US, UK[6], South Africa, India, and the Philippines.[7]

According to the latest data, LockCrypt uses a strong and unbreakable encryption to corrupt files on the affected device. Currently, there’s no way to restore encrypted files due to the ransomware’s ability to delete Shadow Volume Copies.

The crypto-virus also makes modifications to the system to boot with system startup and runs a batch file to kill non-core processes related to computer’s security and data recovery possibilities. Therefore, it’s undoubtedly strong file-encrypting malware.

However, victims of the ransomware are not advised to contact criminals and pay the ransom. They might blackmail you into paying more money and never provide decryption key. Thus, you should take care of LockCrypt removal rather than buying Bitcoins and transferring them to frauds.

Developers of the ransomware rely on RDP brute-force attacks.

Differently than the majority of file-encrypting viruses, LockCrypt’s distribution does not rely on malicious spam emails. Authors of the ransomware use Remote Desktop Protocol (RDP) brute-force attacks that allows infecting unsecured enterprise servers. To avoid these attacks, you should follow these tips:

  • set hard to guess passwords;
  • control the number of administrator accounts;
  • use different account name for Administrator account;
  • enable two-factor authentication;
  • set the number of failed login is to lock the user if she/he enters wrong credentials.

LockCrypt removal guide

You should remove LockCrypt virus by following instructions given below and delete the virus while in Safe Mode with Networking. Reboot your PC into the above-mentioned mode and start anti-malware or anti-spyware software to remove the virus for you. We recommend using Reimage or Malwarebytes Anti Malware for this task.

Please do not try to initiate manual LockCrypt ransomware removal – ransomware viruses are too sophisticated and dangerous and inexperienced computer users simply can overlook some of its malicious components. It goes without saying that leaving them on the system poses a threat to user’s privacy and computer’s security.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove LockCrypt ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall LockCrypt ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual LockCrypt virus Removal Guide:

Remove LockCrypt using Safe Mode with Networking

Delete the Lock Crypt virus according to the guidance provided below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove LockCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete LockCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove LockCrypt using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of LockCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that LockCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove LockCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Restore your files from a backup, or, if you do not own one, try these options.

If your files are encrypted by LockCrypt, you can use several methods to restore them:

Recover files with a help of Data Recovery Pro

Data Recovery Pro proved to be a useful tool for those that are dealing with piles of corrupted files. You might want to test this tool on files locked by the indicated ransomware.

Official decryption tools are not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from LockCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References