LockCrypt targets unsecured Windows enterprise servers via Remote Desktop Protocol (RDP) brute-force attacks. This ransomware was first documented in June 2017 and has infected machines throughout the United States, United Kingdom, South Africa, India, and the Philippines. LockCrypt is linked to the Satan RaaS (Ransomware-as-a-Service) through a common email address used in both attacks. Once a server is compromised, hackers connect to as many machines as possible and manually launch the LockCrypt ransomware on each one. LockCrypt leverages strong encryption, gains boot persistence, deletes shadow volume copies, and executes a batch file that kills all non-Windows core processes. Once encrypted, the ransomware appends .lock to the names of files and drops a ransom note named ReadMe.TxT onto the infected system. LockCrypt also provides a visual warning to users which directs them to the newly created ransom note. LockCrypt demands payment from victims ranging from 0.5 to 1 Bitcoin per server.
Extensions appended to encrypted file names:
.lock, .1btc, .1BTC, .mich
Email addresses associated with LockCrypt ransomware:
firstname.lastname@example.org, email@example.com, Satan-Stn@bitmessage.ch, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, Jacob_888jk@aol.com, Jacob_888jk@bitmessage.ch
- Bleeping Computer provides more information about LockCrypt here.
- The NJCCIC is aware of a free decryption tool available for LockCrypt. Victims who have been impacted by LockCrypt ransomware should contact the Malwarebytes support team, Malwarebytes researcher @hasherezade, independent security researcher Michael Gillespie @demonslay335, or request assistance via the Bleeping Computer LockCrypt support forum.