AutoLocky Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 11,155 |
| Threat Level: | 100 % (High) |
| Infected Computers: | 13,620 |
| First Seen: | April 19, 2016 |
| Last Seen: | January 13, 2026 |
| OS(es) Affected: | Windows |
The AutoLocky Ransomware is a ransomware Trojan that tries to impersonate the infamous Locky ransomware Trojan but fails. The AutoLocky Ransomware is poorly implemented and not particularly effective. It seems that the AutoLocky Ransomware tries to trick computer users into believing that their computer was infected by Locky, a known ransomware Trojan that may be devastating when attacking a computer. The AutoLocky Ransomware refers to itself as 'Locky' and adds the extension '.Locky' to the encrypted files, in the same way as Locky. However, after a more profound analyse of the AutoLocky Ransomware, PC security researchers have found that the AutoLocky Ransomware's ransom note is entirely different from Locky's. The AutoLocky Ransomware also does not use TOR or other anonymous methods to communicate with its Command and Control server. The AutoLocky Ransomware uses a quite primitive scripting language, AutoIt, rather than the standard Visual C++, which is associated with more sophisticated threats. It is highly likely that the AutoLocky Ransomware is the work of amateurs that attempt to profit in the short term by creating scripts using readily available, non-sophisticated tools.
Table of Contents
Thankfully there is a Solution for the Files Encrypted by the AutoLocky Ransomware
PC security analysts quickly found vulnerabilities in the AutoLocky Ransomware's script, making it quite simple to decrypt the files that have been encrypted by the AutoLocky Ransomware. Currently, however, PC security analysts have managed to pinpoint the most common distribution method for the AutoLocky Ransomware. If your computer has been infected by the AutoLocky Ransomware, follow the instructions below to deal with this threat:
- The first thing you will want to do when infected with the AutoLocky Ransomware is to look through your start-up folder to find the executable file that is launching the AutoLocky Ransomware when you start up your computer.
- Use the Task Manager and end that executable file's process. Once you have done this, it should be possible to delete the executable file from your computer.
- Once you have removed the AutoLocky Ransomware's file and start-up link, it is possible to decrypt your files. A quick search through your preferred PC security source should help you find a decryption utility for the AutoLocky Ransomware, created by PC security researchers.
- Download the decryption utility and follow the instructions to proceed. It should generate the decryption key without any need for you to pay the ransom.
How the AutoLocky Ransomware Infection Works
The AutoLocky Ransomware may be the first encryption ransomware Trojan created using AutoIt and a similar scripting tool. This scripting language was used to help in implementing certain functions on computers originally. Now, it has become a powerful scripting language that may be used to carry out different tasks on a computer. The main weakness of scripts created with AutoIt is that they may be decompiled into readable scripts. This allows security researchers to analyze the code of the original script before it is compiled into an executable file. Having this kind of access to a threat's code makes dealing with it a trivial matter.
Overall, the AutoLocky Ransomware's infection method is pretty standard. The AutoLocky Ransomware executable file uses an icon identical to Adobe Reader. The AutoLocky Ransomware targets the most commonly used file extensions targeted by other ransomware Trojans. After encrypting the victim's files, the AutoLocky Ransomware creates a text and HTMLfile on the victim's Desktop, containing instructions on payment. The AutoLocky Ransomware uploads the victim's encryption key to its Command and Control server, which is located at the domain crazyloading.cc. One additional weakness associated with the AutoLocky Ransomware is that this threat doesn't delete shadow volume copies of files the AutoLocky Ransomware has encrypted. This would theoretically allow computer users to recover their files using a Shadow Volume reader or tool, which is unnecessary at this point because there's a decryption utility easily reachable. When dealing with an unknown threat, regarding of its claims, the affected PC user should take steps to check whether PC security researchers have found a solution; as with the AutoLocky Ransomware, things may not be as bad as they seem!
Analysis Report
General information
| Family Name: | Dehd/IFLA Ransomware |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
c528917827ade1b923fa8881e16caccd
SHA1:
a850ad71d355551d121101bdfb85a484c7a5065f
SHA256:
414EBCE88D9C8B5561189D3AD8B558D33C2ED8D09521127A33D870B67CE40878
File Size:
242.69 KB, 242688 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have security information
- File has exports table
- File is 32-bit executable
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name | AVerMedia TECHNOLOGIES, Inc. |
| File Description | AVerGraphAPI for For AVerMedia Game In |
| File Version | 2, 0, 10, 0 |
| Internal Name | AVerGraphAPI |
| Legal Copyright | Copyright (C) AVerMedia TECHNOLOGIES, Inc. |
| Original Filename | AVerGraphAPI .dll |
| Product Name | AVerGraphAPI for For AVerMedia Game In |
| Product Version | 2, 0, 10, 0 |
File Traits
- dll
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 866 |
|---|---|
| Potentially Malicious Blocks: | 22 |
| Whitelisted Blocks: | 733 |
| Unknown Blocks: | 111 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Stop.S
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\a850ad71d355551d121101bdfb85a484c7a5065f_0000242688.,LiQMAxHB
|
