LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

November 9, 2017  |  Chris Doman

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.

Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.

LockCrypt doesn’t have heavy code overlaps with other ransomware. We've seen evidence that the attackers likely started out with easier-to-deploy “ransomware as a service” before re-investing in their own ransomware.

We have seen small businesses infected with LockCrypt in the US, UK, South Africa, India and the Philippines.

Initial Compromise

One target reported they were infected via RDP brute-forcing from a compromised mail server. The attackers then manually killed business critical processes for maximum damage.

We have seen lots of related activity from this IP:

initial compromise with LockCrypt ransomware

The Targets

Targets have reported paying between 0.5 and 1 Bitcoin per server - which translates at current prices to over $5000 per server. One business reported paying approximately $19,000 to recover three machines.

An earlier version included a BitCoin address in the ransomware note. That address received about $20,000 worth of Bitcoins from targets in July.

Ransom charged with LockCrypt malwareA photo of an infected machine taken by a target

Overview of Execution

LockCrypt overview of executionThe pop-up window and ransom message provided by the attackers to targets

LockCrypt encrypts files and renames them with a .lock extension. It also installs itself for persistence and deletes back-ups (volume shadow copies) to prevent an easy recovery.

It executes a batch file to kill all non-core processes - a very aggressive way of anti-virus and sandbox evasion.

LockCrypt kills all non-core processes to startLockCrypt then sends base64 encoded information about the infected machine to a server in Iran 

Ransomware proliferation?

The first versions of LockCrypt used an e-mail address that was previously connected to Satan Ransomware - an easy to use “ransomware as a service”.

To get the decryptеr you should pay for decrypt:

to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1Nez7W9ashFL4BA7vHuA5aoaad9XtqHKCF

 

Send screenshot of payment to mail support stn_satan@aol.com or Satan-Stn@bitmessage.ch

 

All your files have been encrypted due to a security problem with your PC

 

If you want to restore them, write us to the e-mail support stn_satan@aol.com or Satan-Stn@bitmessage.ch

Left - A ransom note from Satan Ransomware; Right - A ransom note from LockCrypt ransomware with matching contact details - A targeted business lost their accounting records to this malware

Many fear that ransomware creation services such as Satan could lead to attackers re-investing their criminal gain into more sophisticated schemes. It’s possible that has happened in this case.

Coincidentally, AlienVault recently discussed the threat posed by Satan ransomware in an interview with the BBC. Here's what the creation process looks like:

creating satan ransomwareThe Satan Ransomware Creation page

Prevention and Detection

Preventing RDP brute-forcing requires basic security hygiene such as:

  • Consider enforcing complex passwords and two-factor authentication on RDP access
  • Don’t allow incoming RDP connections from anywhere on the internet
  • Consider locking out users that have numerous failed login attempts

We have provided detection rules, Yara signatures, File-Hashes, payment e-mails and bitcoin addresses below.

How to detect these malicious behaviours in general

Indicators of compromise are useful for tracking malicious activity - but poor at detecting future malicious activity in general. Below we show how we detect LockCrypt in USM Anywhere:

How USM Anywhere detects LockCryptMass process killing with LockCryptUSM Anywhere detecting LockCrypt by failed logon to nonexistent account

Yara rules for file detection

rule lockcrypt {

       $a = "taskkill /f /im bcn1.exe" nocase wide ascii

$mz = { 4d 5a }

  condition:

$mz at 0 and $a

}


rule lockcrypt_text {

        $a = "Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe" nocase wide ascii

        $b = "You have to pay for decryption in Bitcoins. The price dependson" nocase wide ascii

    condition:

        any of them

}


rule lockcrypt_installer_packer {

    strings:

        $a = "c:\users\nachalnik\documents\visual" nocase wide ascii

        $b = "WshShell.Run chr(34) & "bcn1.exe" & Chr(34), 0" nocase wide ascii

    condition:

        any of them

}

 

BitCoin Addresses

17K5weJTPyc8Ktei8c58D2jSGbXZdWXQ2f

1Nez7W9ashFL4BA7vHuA5aoaad9XtqHKCF

 

E-Mail Addresses

jekr@aol[.]com

stnsatan@aol[.]com

Satan-Stn@bitmessage[.]ch

enigmax_x@aol[.]com

djekr@aol[.]com

jajanielse@aol[.]com

jajanielse@bitmessage[.]ch

 

File Hashes

1df3d4da1ef11373966f54a6d67c38a223229f272438e1c6ec7cb4c1ea3ff3e2

bf80ef6cfea9478bf69f247b59d17dab9ede4b74193234168ee6e3d55dc526e1

0948390b18338b460edf60beaf1a792d1d85dab64ec59b158fa2d47e78ad4373

dc892346618f8fe561a7219a59e7c6fd2e15ff463469a29708886a23f54157b9

0ab44a962ababbf4500b335171e25d930ae3b8356a50bc547979126007aa42c0

151cf4f4c5e2a90b57af8d22e085ebc5f8927cf8b14eeaade3adb271c11eb54f

64d6cc34ad16e2ecbaf7e71573ed222cfa16b710cc6ff79ab3cc3c1c6c4b1138

D69c972d578a3d4b15158ac14600f0e996113e510a4bc9815193c9e74740e612

Cdd61a00a8175f1753b55094be506bd9fc1a6511a3f0abeeed0216b1db17e95e

Bce16a425c37d2ad3280c19d4c64bc7ed037d29dabe3e34ab4941a245cb5ec34

722df6f33a9d11d841ce399a9081bac2788ce007474b0be9ee76efbf1f5a132b

3756c1fcf3f6404582a19c5e1fd23aa043cb71e85700bdf6b0e6df80593ad565

714546c621a797743f0bce6a8843611860d3392a7f3fcff5cf661d0a6bffa78b

 

IP Addresses Performing RDP Brute-Force Attacks

You can view IP addresses associated with related attacks here.

Ransom Note

All your files have beenencrypted!

All your files have been encrypted due to a security problemwith your PC. If you want to restore them, write us to the e-mail support: jajanielse@aol.com or jajanielse@bitmessage.ch

Write this ID in the title of your message

In case of no answer in 24 hours write us to theese e-mails support: jajanielse@aol.com or jajanielse@bitmessage.ch

You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you thedecryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb (nonarchived), and files should not contain valuable information.

(databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. Youhave to register, click 'Buy bitcoins', and select the seller bypayment method and price.

https://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginnersguide here:

http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software,it may cause permanent data loss.

Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.

 

{{IDENTIFIER}}

Your ID

Conclusion

LockCrypt ransomware doesn’t appear to be targeted - the attackers just opportunistically infect servers with RDP. But they do show an interest in manually interacting with systems for maximum impact, and the excessive fees they charge can put businesses that can’t afford to pay out of operation. We’ve provided some details on how to detect LockCrypt, and others like it, below. 

Share this with others

Get price Free trial