A relatively weaker malicious ransomware, LockCrypt, has been operating under the radar to carry out low scale cybercrime attacks since the June of 2017. It was most prominently active in February and March this year, but due to the fact that the ransomware must be installed manually on devices to take effect, it did not pose as great a threat as some of the most notorious crypto-criminal ransomwares out there, GrandCrab being one of them. Upon analysis (of a sample obtained from VirusTotal) by antivirus firms such as the Romanian corporation BitDefender and the MalwareBytes Research Lab, security experts discovered several flaws in the programming of the ransomware which could be reversed to decrypt stolen files. Using the information gathered, BitDefender has released a Decryption Tool that is able to recover files on all versions of the LockCrypt ransomware except for the latest one.
According to a thorough MalwareBytes Lab research report which analyzes the malware inside and out, the first flaw discovered in LockCrypt is the fact that it requires manual installation and administrator privileges to take effect. If these conditions are met, the executable runs, placing a wwvcm.exe file in C:\Windows and adding a corresponding registry key as well. Once the ransomware starts to penetrate the system, it encrypts all the files it can access including .exe files, stopping system processes along the way to ensure that its own process continues uninterrupted. File names are changed to random base64 alphanumeric strings and their extensions are set to .1btc. A text file ransom note is launched at the end of the process and additional information is stored in the HKEY_LOCAL_MACHINE registry containing the attacked user’s assigned “ID” as well as reminders of instructions for file recovery.
Although this ransomware is able to run without an internet connection, in the case that it is connected, researchers have found it to communicate with a CnC in Iran, sending it base64 alphanumeric data that deciphers to the attacked device’s allotted ID, operating system, and ransomware inhibiting location on the drive. Researchers have discovered that the malware’s code uses the GetTickCount function to set randomized alphanumeric names and communications which are not particularly strong codes to decipher. This is done in two parts: the first uses a XOR operation while the second uses XOR as well as ROL and bitwise swap. These weak methods make the malware’s code easily decipherable which is how BitDefender was able to manipulate it to create a decryption tool for locked .1btc files.
BitDefender has researched multiple versions of the LockCrypt ransomware to devise a publicly available BitDefender Tool that is able to decrypt .1btc files. Other versions of the malware also encrypt files to .lock, .2018, and .mich extensions which are also decryptable upon contact with the security researcher Michael Gillespie. The most recent version of the ransomware appears to encrypt files to the .BI_D extension for which a decryption mechanism is not devised yet, but all previous versions are now readily decryptable.