LazagneCrypt Ransomware

The LazagneCrypt Ransomware is a file encoder threat with the added functionality of a password stealer. The LazagneCrypt Ransomware supports generic data encryption features and uses legitimate tools to collect and upload the collected user credentials to a cloud service. The Trojan is named after the 'LaZagne' open-source project at github.com/AlessandroZ/LaZagne created by AlessandroZ, which is implemented by the threat authors. There is no evidence to suggest a link between AlessandroZ and the people responsible for the LazagneCrypt Ransomware. The LazagneCrypt Trojan is not the first threatening program to include an open-source code. The threat is introduced to computers via spam emails and macro-enabled Microsoft Word documents.

The attack is carried out with administrative privileges and file objects like photos, music, movies, databases, presentations, text, spreadsheets, PDFs, and eBooks are enciphered using a custom AES-256 cipher. The encrypted data containers are marked with the '.encr' extension the same way the '.kukaracha File Extension' Ransomware and the '.ecc File Extension' Ransomware work. For example, 'Andrew W.K. - Music Is Worth Living For.mp3' is renamed by LazagneCrypt to 'Andrew W.K. - Music Is Worth Living For.mp3.encr.' The LazagneCrypt Ransomware may feature generic encryption algorithms, but it aims to collect the user's logins too. Malware researcher found that the LazagneCrypt Ransomware is designed to execute a slightly modified copy of AlessandroZ's LaZagne password recovery tool and export the extracted logins to a text file. Unfortunately, the LaZagne tool is used to collect credentials from:

• Sysadmin tools like:
  CoreFTP; FileZilla; OpenSSH; WinSCP; FTPNavigator.
• Browsers like:
  Google Chrome; Mozilla Firefox; Opera; Internet Explorer.
• IM clients like:
  Skype; Pidgin; Jitsi.
• Database managers like:
  DBvisualizer; Robomongo; Squirrel; SQLdeveloper.
• Email clients like:
  Outlook; Thunderbird.
• Your WiFi network and your Windows hashes.

The LazagneCrypt Ransomware utilizes the SwissDisk sDrive software (swissdisk.com) to upload the user credentials to an encrypted account on the sDrive platform. The LazagneCrypt Ransomware is reported to run as 'brc.exe' on compromised devices. The team behind the LazagneCrypt Trojan is known to use the 'wfmmp8@sigaint.org' email account for negotiations with affected users. It is recommended to avoid contact with 'wfmmp8@sigaint.org' and you should use backup images to recover from the attack. The best way to mitigate permanent damages to your file system is by creating backup images as often as possible and using a reliable anti-malware solution. AV engines tag the files created by the LazagneCrypt Ransomware as:

• Trojan.Ransom.LazagneCrypt
• Virus.Ransom.Hiddentear!c
• MSIL/Agent.BIL!tr.spy
• Artemis!9FE1DEEE2CBD
• a variant of MSIL/Spy.Agent.BIL
• Spyware ( 005237891 )
• Ransom_LAZAGNECRYPT.THAOKAH
• Win32/Trojan.Ransom.863

The ransom note is presented as a link named — Security.lnk — to a page on the Open Web, which offers the following message:

'Personal files on your computer have been encryptedwith strong AES encryptionusing a unique key generated for your computer.
Any attempt to decrypt your files or remove this program will render your files unaccessible forever!
-
If you wish to regain access to your files, please transfer as soon as possible
If you fail to comply within 36h, the ransom will be raised. You have been warned.
After we have received your payment, all encrypted files on your computer will be unencrypted automatically.
If you're not familiar with bitcoins, you can buy them via PayPal or bank transfer at: xxxx://anycoindirect.eu/
-
You can also send emails cursing us or wishing us death, so that emails from people who paid and really need help won't be read.
-
We have received your payment and will now proceed to decrypt your files.
Please do not close this window or shut down your computer until the process is finished.
-
I already paid, but my filesare not being decrypted.
We will look into the problem and, if we need your assistance in solving it, send you instructions on how to decrypt your files.'

SpyHunter Detects & Remove LazagneCrypt Ransomware