HackerCombat Special: Security Experts on the LockCrypt Ransomware

We at HackerCombat keep an eye on all discussions that happen, as regards hacking and cyber security. We follow the experts and their blogs/websites. We keep an eye on what’s happening in the realm of cyber security and we do check for what leading security firms say or do…

It seems that in the last four to five days everyone has started discussing LockCrypt Ransomware– how it emerged, how it spread et al. Well, it’s quite natural, we see new variants of the LockCrypt ransomware creating headaches for many leading entrepreneurs and corporates, and of course for smaller business firms too. LockCrypt definitely needs to be discussed, and that is what everyone seems to be doing…

On Thursday last, Chris Doman, Threat Engineer at Alien Vault authored a blog post titled ‘LockCrypt Ransomware Spreading via RDP Brute-Force Attacks‘, which discusses how small businesses in the US, UK, India, South Africa and the Philippines have been affected by the LockCrypt outbreak and also discusses how the ransomware spreads.

The very next day, Catalin Cimpanu, Security News Editor at Bleeping Computer, wrote a post titled ‘LockCrypt Ransomware Crew Started via Satan RaaS, Now Deploying Their Own Strain‘, which refers to the Alien Vault blog and discusses LockCrypt in detail.

Following suit, SecurityIntelligence came up with a piece authored by freelancer Douglas Bonderud, while SCMagazineUK.com too took to discussing LockCrypt.

Well, these experts seem to have discussed all aspects relating to the LockCrypt ransomware. So for us, there is not much left to say. We’d rather present, for our readers, a cross-section of what all has already been discussed, so as to help them get a clearer and very comprehensive picture. We present a compilation of extracts from the discussions done by these experts, for our readers-

Alien Vault

“LockCrypt doesn’t have heavy code overlaps with other ransomware. We’ve seen evidence that the attackers likely started out with easier-to-deploy “ransomware as a service” before re-investing in their own ransomware…We have seen small businesses infected with LockCrypt in the US, UK, South Africa, India and the Philippines….LockCrypt encrypts files and renames them with a .lock extension. It also installs itself for persistence and deletes back-ups (volume shadow copies) to prevent an easy recovery….It executes a batch file to kill all non-core processes – a very aggressive way of anti-virus and sandbox evasion….The first versions of LockCrypt used an e-mail address that was previously connected to Satan Ransomware – an easy to use “ransomware as a service”.

Bleeping Computer

“The LockCrypt gang usually breaks into one server, moves laterally to as many machines as possible, and manually runs the LockCrypt ransomware on each system…Each computer hit by LockCrypt shows a visual and ransom note…and files are encrypted and feature a new .lock extension…To decrypt locked data, victims must pay ransoms that usually vary between 0.5 and 1 Bitcoin per server, or between $3,500 and $7,000 per machine…Some companies may face ransom demands of hundreds of thousands of dollars, if attackers manage to compromise a larger number of systems.”

SecurityIntelligence

“LockCrypt got its start under the umbrella of the Satan ransomware-as-a-service (RaaS), which lets would-be attackers piggyback on existing malware code to infect corporate systems. As noted by ZDNet, the Satan HTML file uses RSA-2048 and AES-256 cryptography, making it difficult — if not impossible — for victims to recover files unless they’re willing to pay…The catch? Satan’s creators take a 30 percent share of all profits generated, making it a great entry-level option but not ideal for long-term gains…Early versions of LockCrypt used email addresses associated with the Satan RaaS, but more recent attacks have ditched Satan infection vectors in favor of brute-force remote desktop protocol (RDP) attacks that compromise unsecured enterprise servers and then move laterally to as many devices as possible.”