LockCrypt ransomware virus

September 20, 2018

What is LockCrypt

How does LockCrypt works

I need help with LockCrypt virus removal  04/06/18 1 Do you have a decryption tool for lockcrypt?  17/02/18 1 Should we pay the ransom for LockCrypt ransomware?  14/11/17 1

LockCrypt is a malicious ransomware virus that originally appends .lock, .1btc, .mich, .badnews and other file extensions to targeted files. It has been updated several times, and the latest update came at the end of summer 2018. The ransomware that has been actively distributed via Remote Desktop Services (RDS). The initial version is known for targeting enterprise servers, thus raising the chances of collecting huge ransoms. The other variants are oriented to individual PC users. Following the encryption, LockCrypt ransomware drops a ReadMe.txt file on the desktop and demands for a ransom in Bitcoins. Fortunately, some versions are already decryptable.

LockCrypt ransomware virus

In the middle of April, 2018, ransomware researchers finally managed to crack the LockCrypt code and developed a free decryptor. Thouse who have been affected by this ransomware should contact Michael Gillespie (@demonslay335) ransomware researcher for decrypting the files. But before that, make sure that you have initiated LockCrypt remove successfully. Use , or Anti-MalwareNorton Internet Security to perform a full system scan.

Download Removal Toolto remove LockCrypt

The LockCrypt ransomware has been cracked after the researcher detected a weakness in the encryption algorithm. According to the latest reports, this piece of malware did not reach mainstream distribution since it narrowed the target to organizations. Crooks found it easy to attack unprotected RDP and initiate brute-force attacks. However, the unprofessional design allowed white hats to find a way to decode it.

Following data encryption, LockCrypt ransomware drops a ReadMe.txt file on the desktop, and this file provides an explanation of what has happened. The ransomware informs the victim that all data has been encrypted and that in order to reverse the encryption the victim has to pay for decryption. The ransom note doesn’t reveal the exact price that the victim has to pay; it only commands the victim to write to:

d_dukens@aol.com, d_dukens@bitmessage.ch, enigmax_x@aol.com, enigmax_x@bitmessage.ch, BM-2cTAPjtTkqiW2twtykGm5mtocFAz7g5FZc@bitmessage.ch.

The full text of the ransom note:

According to the criminals, the price of the ransom depends on how fast the victim manages to reach out to the culprits. The attackers suggest decrypting three small files for free to prove that they have the decryption tool and that files are not permanently corrupted and that there is no need to consider LockCrypt ransomware removal. The total size of files to test the decryption should be no larger than 10Mb (non-archived) and, according to frauds, “should not contain valuable information.”

If you were infected with this ransomware variant, we suggest you remove LockCrypt using anti-malware software such as and try to recover your files using alternative methods. However, chances to restore data using third-party software is not high because ransomware is designed to delete Shadow Volume Copies.

How to delete LockCrypt

At the end of February 2018, cybersecurity experts detected a new version of infamous LockCrypt Ransomware, which is also disseminated via accessible Remote Desktop Services. Although its behavior coincides with the ancestor, the latest version uses base64 encryption strategy and appends .1btc file extension to each locked file.

Download Removal Toolto remove LockCrypt

After successful file encryption, the .1btc file extension virus generates a text file named as Restore Files.TxT, which contains victim’s ID and detailed instructions on how to make the payment. The victim is asked to contact the extortionists within 24 hours via email Jacob_888jk@aol.com or Jacob_888jk@bitmessage.ch. According to the extortionists, the price for a decryption key depends on how fast the victim communicates them, though based on the file extension appended, they may demand 1 Bitcoin.

Unfortunately, the .1btc file extension ransomware is not decryptable for free. One of the ways to get your files back is to pay the ransom and expect that criminals will send you a key. However, the better idea is to remove .1btc file extension virus with or similar anti-virus tool and try to decrypt files using alternative methods.

To prevent brute-force attacks via Remote Desktop Services when hackers login to a target computer and execute the ransomware, it’s a must to lock the service correctly. The PC running Remote Desktop Services should be placed behind VPNs to prevent unauthorized access of those who don’t have VPN accounts connected to your network.

It seems that cyber criminals cannot forgive malware researchers from breaking ransomware’s code. They created a brand new variant of LockCrypt that has improved functionality. The virus uses a combination of AES-256 and RSA-2048 encryption algorithms to lock various files on the affected computer. The AES key is used for encryption and saved in C:\Windows\DECODE.KEY directory. This DECODE.KEY and a private RSA key are needed for file decryption.

However, the analysis showed that malware might fail to save DECODE.KEY, and it does not check if this procedure is completed correctly. Therefore, if this file is missing, the decryption of files is impossible. This is a clear proof that hackers do not have intentions to recover the files, so you should not take a risk and pay the demanded ransom.

During the encryption procedure, malware appends a unique file extension id-.BI_D, where the ID stands for a unique identification number that is given by ransomware for each of the victims. Therefore, after the cyber attack, a corrupted .png file might look like this filename.png id-R4ohq2idY4.BI_D.

Following the encryption, LockCrypt ransomware downloads a ransom note called How To Restore Files.txt where victims are asked to contact criminals via bog_decryptor@aol.com and pay asked amount of Bitcoins. People who are interested in this order have to send DECODE.KEY and 2-3 encoded files:

However, security specialists do not recommend following such orders. It is recommended to remove LockCrypt ransomware virus to clean and protect your computer.

Satan RaaS (Ransomware-as-Service) portal was launched in January 2017 and offers beginners to create their customized version of the Satan ransomware. However, the resent analysis shown that LockCrypt ransomware might be created using this source code.

Download Removal Toolto remove LockCrypt

In November, researchers also tell that IP address that might be used by the attacks (212.111.192.203) is associated with the Ministry of Education and Science of Ukraine. However, there’s no secret that criminals might manipulate their IP address in order to hide from legit punishment. Other research information claims that LockCrypt sends information about the affected device to a remote server in Iran.

Despite the fact cyber criminals started their illegal project by using Satan’s source code, they managed to develop a strong file-encrypting virus. It has already affected business in the US, UK, South Africa, India, and the Philippines.

According to the latest data, LockCrypt uses a strong and unbreakable encryption to corrupt files on the affected device. Currently, there’s no way to restore encrypted files due to the ransomware’s ability to delete Shadow Volume Copies.

The crypto-virus also makes modifications to the system to boot with system startup and runs a batch file to kill non-core processes related to computer’s security and data recovery possibilities. Therefore, it’s undoubtedly strong file-encrypting malware.

However, victims of the ransomware are not advised to contact criminals and pay the ransom. They might blackmail you into paying more money and never provide decryption key. Thus, you should take care of LockCrypt removal rather than buying Bitcoins and transferring them to frauds.

RDP brute-force attacks are used for getting into computers Differently than the majority of file-encrypting viruses, LockCrypt’s distribution does not rely on malicious spam emails. Authors of the ransomware use Remote Desktop Protocol (RDP) brute-force attacks that allows infecting unsecured enterprise servers. To avoid these attacks, you should follow these tips:

set hard to guess passwords; control the number of administrator accounts; use different account name for Administrator account; enable two-factor authentication; set the number of failed login is to lock the user if she/he enters the wrong credentials.

You should remove LockCrypt virus by following instructions given below and delete the virus while in Safe Mode with Networking. Reboot your PC into the above-mentioned mode and start anti-malware or anti-spyware software to remove the virus for you. We recommend using or Anti-MalwareNorton Internet Security for this task.

Please do not try to initiate manual LockCrypt ransomware removal – ransomware viruses are too sophisticated and dangerous and inexperienced computer users simply can overlook some of its malicious components. It goes without saying that leaving them on the system poses a threat to user’s privacy and computer’s security.

Stage 1: Delete Browser Extension

First of all, we would recommend that you check your browser extensions and remove any that are linked to LockCrypt. A lot of adware and other unwanted programs use browser extensions in order to hijacker internet applications.

Remove LockCrypt Extension from Google Chrome

  1. Launch Google Chrome.
  2. In the address bar, type: chrome://extensions/ and press Enter.
  3. Look for LockCrypt or anything related to it, and once you find it, press ‘Remove’.

Uninstall LockCrypt Extension from Firefox

  1. Launch Mozilla Firefox.
  2. In the address bar, type: about:addons and press Enter.
  3. From the menu on the left, choose Extensions.
  4. Look for LockCrypt or anything related to it, and once you find it, press ‘Remove’.

Delete LockCrypt Extension from Safari

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Select Preferences from the list.
  4. Choose the Extensions tab.
  5. Look for LockCrypt or anything related to it, and once you find it, press ‘Uninstall’.
  6. Additionally, open Safari Settings again and choose Downloads.
  7. If LockCrypt.safariextz appears on the list, select it and press ‘Clear’.

Remove LockCrypt Add-ons from Internet Explorer

  1. Launch Internet Explorer.
  2. From the menu at the top, select Tools and then press Manage add-ons.
  3. Look for LockCrypt or anything related to it, and once you find it, press ‘Remove’.
  4. Reopen Internet Explorer.In the unlikely scenario that LockCrypt is still on your browser, follow the additional instructions below.
  5. Press Windows Key + R, type appwiz.cpl and press Enter
  6. The Program and Features window will open where you should be able to find the LockCrypt program.
  7. Select LockCrypt or any other recently installed unwanted entry and press ‘Uninstall/Change’.

Alternative method to clear the browser from LockCrypt

There may be cases when adware or PUPs cannot be removed by simply deleting extensions or codes. In those situations, it is necessary to reset the browser to default configuration. In you notice that even after getting rid of weird extensions the infection is still present, follow the below instructions.

Use Chrome Clean Up Tool to Delete LockCrypt

  1. Launch Google Chrome.
  2. In the address box, type: chrome://settings/ and press Enter.
  3. Expand Advanced settings, which you can find by scrolling down.
  4. Scroll down until you see Reset and Cleanup.
  5. Press on Clean up computer. Then press Find.

This Google Chrome feature is supposed to clear the computer of any harmful software. If it does not detect LockCrypt, go back to the Clean up computer and reset settings.

Download Removal Toolto remove LockCrypt

Reset Mozilla Firefox to Default

If you still find LockCrypt in your Mozilla Firefox browser, you should be able to get rid of it by restoring your Firefox settings to default. While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

  1. Launch Mozilla Firefox
  2. Into the address box, type: about:support and press Enter.
  3. You will be redirected to a Troubleshooting Information page.
  4. From the menu on the right side, select Refresh Firefox.
  5. Confirm your choice by clicking Refresh Firefox in the new window.
  6. Your browser will close automatically in order to successfully restore the settings.
  7. Press Finish.

Reset Safari Browser to Normal Settings

  1. Launch Safari.
  2. Press on the Safari Settings icon, which you can find in the upper-right corner.
  3. Press Reset Safari.
  4. A new window will appear. Select the boxes of what you want to reset or use the screenshot below to guide you. Once you have selected everything, press ‘Reset’.
  5. Restart Safari.

Restore Internet Explorer to Default Settings

  1. Launch Internet Explorer.
  2. From the top menu, press on Tools and then Internet Options.
  3. In the new window that opens, choose the Advanced tab.
  4. At the bottom of the window, below Reset Internet settings, there will be a ‘Reset’ button. Press that.

While extensions and plug-ins will be deleted, this will not touch your browser history, bookmarks, saved passwords or Internet cookies.

Leave a Reply

Your email address will not be published. Required fields are marked *

*