Locky Locker Ransomware

Locky Locker Ransomware Description

The Locky Locker Ransomware Trojan is a data encryption Trojan that was identified on July 30th, 2018. Computer security researchers alerted that the threat payload may be dropped to machines using free software bundles made with InnoSetup, which is a legitimate tool aimed at software publishers. There are reports indicating that the Locky Locker Ransomware is dropped to regular PCs as 'Facture_25.07.2018_991030.exe,' which downloads two other files on the compromised system. The downloader associated with the Locky Locker Ransomware was observed to drop the following objects to the Temp directory on the primary system drive:

  • %TEMP%\is-7RU1O.tmp\lock.exe — it used to encode the user's data
  • %TEMP%\is-2G302.tmp\Facture_25.07.2018_991030.tmp — contains commands that allow the Trojan to delete its files after it has encrypted the user's data

It should be noted that the Locky Locker Ransomware has nothing to do with the infamous Locky RaaS. The Locky Locker Ransomware is an imposter that tries to use the success of another threat to convince users to pay for a decryptor. The Locky Locker Ransomware may run as 'lock.exe' and remove the Shadow Volume snapshots on Windows. This particular Trojan is very similar to the AutoLocky Ransomware and the Locky Diablo6 Ransomware that imitates the real Locky Ransomware. Infected users may find the '.locky' extension attached to their data and find 'LOCKY-README.txt' on their desktops. For example, 'Manu Pilas - Bella Cia.mp3' is renamed to 'Manu Pilas - Bella Cia.mp3.locky.' The ransom note reads:

'Please be adviced:
All your files, pictures document and data has been encrypted with Military Grade Encryption RSA AES-256.
Your information is not lost. But Encrypted.
In order for you to restore your files you have to purchase Decrypter.
Follow this steps to restore your files.

1* Download the Tor Browser. ( Just type in google "Download Tor" ).
2* Browse to URL : [URL to a TOR-based page]
3* Purchase the Decryptor to restore your files.

It is very simple. If you don't believe that we can restore your files, then you can restore 1 file of image format for free.
Be aware the time is ticking. Price will be doubled every 96 hours so use it wisely.

Your unique ID : [random characters]

CAUTION:
Please do not try to modify or delete any encrypted file as it will be hard to restore it.

SUPPORT:
You can contact support to help decrypt your files for you.
Click on support at [TOR URL]

--------BEGIN BIT KEY---------
[random characters]
--------END BIT KEY-----------'

If you choose to follow the instructions laid out in 'LOCKY-README.txt' and run the TOR Browser, you will arrive at hxxp://4wcgqlckaazugwzm[.]onion/index.php. The page features a brief message and a login form that you may use to download a decryptor if you have made a payment to a dedicated Bitcoin wallet. Researchers found that the Locky Locker Ransomware operators offer support in English, French, Italian and Korean, which suggests that there is a wide distribution network for the threat. The TOR page associated with the Locky Locker Ransomware displays the following text:

'Locky
Unlock Your File In Minutes!
Need Help?

Your files are encrypted using Locky Locker
You have a chance to restore your files by
Downloading Locky Decryptor
And restore all your files
Be aware that no other decryptor will work for you.
You can try but remember price double every 96 hour
So act fast.'

The 'Command and Control' server for the Locky Locker Ransomware was found at hxxp://centredentairenantes[.]fr/wp-system.php and the threat authors may demand a payment of $1300 via Bitcoin for a decryptor. You may wish to remove the Locky Locker Ransomware using a reputable anti-malware instrument and boot backups. Unfortunately, there is no reliable way to rebuild your files structure without using some forms of backups (backup images, compressed folders, system recovery disks, Google Drive and similar products). AV companies are known to flag the files related to the Locky Locker Ransomware by using the following detection names:

Artemis!7FEB43DA4AEF
Mal/Generic-S
Python/Filecoder.BL
Ransom_Agent.R011C0OGT18
TR/Ransom.mnafx
Trojan-Ransom.Python.Agent.p
Trojan.Encoder.25732
Trojan.GenericKD.40350015
Trojan.GenericKD.Win32.122674
Trojan/Win32.Agent.C2265541
Win32.Trojan.Agent.MOHHDZ