Decryption tool released for Locky ransomware impersonator

AutoLocky ransomware has a “laughable” flaw.

Decryption tool released for Locky ransomware impersonator

A decryption tool has been released for a crypto-malware variant that loves to impersonate the now-infamous Locky ransomware.

At this time, it is not known how AutoLocky, an apparent wannabe of the Locky ransomware, is being distributed.

As it uses an Adobe PDF icon, Lawrence Abrams of Bleeping Computer reasons that AutoLocky could be circulating as a fake email attachment. Abrams goes on to note that AutoLocky shares Locky's habit of changing the file extension to .locky:

"Once installed, AutoLocky will scan all fixed drives for targeted data files and encrypt them using the AES-128 algorithm. When a file is encrypted, the ransomware will append the .locky extension on to the filename."

The list of file types targeted by AutoLocky is extensive, maximising its opportunities to wreak havoc for users who have not backed up their data securely:

.docm, .docx, .dot, .doc, .txt, .xls, .xlsx, .xlsm, .7z, .zip, .rar, .jpeg, .jpg, .bmp, .pdf, .ppsm, .ppsx, .ppam, .potm, .potx, .pptm, .pptx, .pps, .pot, .ppt, .xlw, .xll, .xlam, .xla, .xlsb, .xltm, .xltx, .xlm, .xlt, .xml, .dotm, .dotx, .odf, .std, .sxd, .otg, .sti, .sxi, .otp, .odg, .odp, .stc, .sxc, .ots, .ods, .sxg, .stw, .sxw, .odm, .oth, .ott, .odt, .odb, .csv, .rtf, .accdr, .accdt, .accde, .accdb, .sldm, .sldx, .drf, .blend, .apj, .3ds, .dwg, .sda, .ps, .pat, .fxg, .fhd, .fh, .dxb, .drw, .design, .ddrw, .ddoc, .dcs, .wb2, .psd, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .pl, .py, .lua, .css, .js, .asp, .php, .incpas, .asm, .hpp, .h, .cpp, .c, .csl, .csh, .cpi, .cgm, .cdx, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .cdr, .awg, .ait, .ai, .agd1, .ycbcra, .x3f, .stx, .st8, .st7, .st6, .st5, .st4, .srw, .srf, .sr2, .sd1, .sd0, .rwz, .rwl, .rw2, .raw, .raf, .ra2, .ptx, .pef, .pcd, .orf, .nwb, .nrw, .nop, .nef, .ndd, .mrw, .mos, .mfw, .mef, .mdc, .kdc, .kc2, .iiq, .gry, .grey, .gray, .fpx, .fff, .exf, .erf, .dng, .dcr, .dc2, .crw, .craw, .cr2, .cmt, .cib, .ce2, .ce1, .arw, .3pr, .3fr, .mdb, .sqlitedb, .sqlite3, .sqlite, .sql, .sdf, .sav, .sas7bdat, .s3db, .rdb, .psafe3, .nyf, .nx2, .nx1, .nsh, .nsg, .nsf, .nsd, .ns4, .ns3, .ns2, .myd, .kpdx, .kdbx, .idx, .ibz, .ibd, .fdb, .erbsql, .db3, .dbf, .db-journal, .db, .cls, .bdb, .al, .adb, .backupdb, .bik, .backup

Once the encryption process is complete, the ransomware creates and loads up an extortion message in which it purports itself to be Locky.

Unlike Locky, however, AutoLocky does not use Tor for its command and control (C&C) servers. It is also written in the AutoIt scripting language rather than Visual C++, a programming choice which has proven to be the ransomware's downfall.

After reviewing its AutoIt decompiled script, Fabian Wosar, the security researcher who also developed a tool to help victims of the Petya ransomware decrypt their files, has created a downloadable decryption tool that victims can use to restore access to their files.

Once victims have terminated AutoLocky's process and startup link, they can use the decryption tool (available on Emsisoft's website) to specify which locations they want to decrypt.

Decrypter

If you have been affected by AutoLocky, I recommend that you use Wosar's tool to decrypt your files as soon as possible. Whenever a crypto-ransomware decryption tool is created, you never know if the malware authors might be savvy and irate enough to patch their code for weaknesses, which could prevent the tool from working in the near-future. With that in mind, all victims should make use of the tool sooner rather than later.

If the decryption tool doesn't work in the future, there's still hope users can recover their files.

At this time, AutoLocky does not delete the Shadow Volume Copies on an infected computer, which means a user could recover their files via the use of Shadow Copy restore software. Most solutions might not be able to recover all of a user's files, but they could in the very least recover some.

Have you ever been hit by ransomware?

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

7 Responses

  1. Cihan Erdem

    May 9, 2016 at 10:29 am #

    good day, does anyone have solution for .locky files ?

  2. Eddy

    May 9, 2016 at 9:09 pm #

    Cihan, delete them.
    As you can read in the article, there is no decrypter for locky (yet?)

    • Cihan in reply to Eddy.

      May 12, 2016 at 9:07 pm #

      ok but why i have to delete ?

  3. Sneha Capoor

    August 10, 2016 at 8:15 am #

    I have read about Locky ransomware removal at systweak blog too. I found there very nice information.

  4. M.Cihan Erdem

    November 24, 2016 at 1:02 pm #

    As known recently most of users have been infected ransomware virus which changes all important documents like (pdf,doc,docx, xls,xlsx,dwg,mp3,mp4,mpeg,avi,vb) to ".vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .xxx, .ttt, .micro, .mp3, .xtbl, .cerber, .enc, .encrypted" and no extension on last version" are encrypted and not usable/readable unfortunately. I can help infected users to decrypt their files, you can contact with me with below email address if you or one of your friend had been infected this kind of virus.

    Email: mcerdem82@yahoo.com

  5. George

    March 22, 2017 at 3:39 pm #

    The removal of the actual virus is not that hard, I managed to remove it by using an Anti-Malware called MalwareFox. However the decryption/data restoration can be a huge pain, not to mention that it's impossible to restore your files if you have an SSD, or so I've heard.

Leave a Reply