A decryption tool has been released for a crypto-malware variant that loves to impersonate the now-infamous Locky ransomware.
At this time, it is not known how AutoLocky, an apparent wannabe of the Locky ransomware, is being distributed.
As it uses an Adobe PDF icon, Lawrence Abrams of Bleeping Computer reasons that AutoLocky could be circulating as a fake email attachment. Abrams goes on to note that AutoLocky shares Locky’s habit of changing the file extension to .locky:
“Once installed, AutoLocky will scan all fixed drives for targeted data files and encrypt them using the AES-128 algorithm. When a file is encrypted, the ransomware will append the .locky extension on to the filename.”
The list of file types targeted by AutoLocky is extensive, maximising its opportunities to wreak havoc for users who have not backed up their data securely:
.docm, .docx, .dot, .doc, .txt, .xls, .xlsx, .xlsm, .7z, .zip, .rar, .jpeg, .jpg, .bmp, .pdf, .ppsm, .ppsx, .ppam, .potm, .potx, .pptm, .pptx, .pps, .pot, .ppt, .xlw, .xll, .xlam, .xla, .xlsb, .xltm, .xltx, .xlm, .xlt, .xml, .dotm, .dotx, .odf, .std, .sxd, .otg, .sti, .sxi, .otp, .odg, .odp, .stc, .sxc, .ots, .ods, .sxg, .stw, .sxw, .odm, .oth, .ott, .odt, .odb, .csv, .rtf, .accdr, .accdt, .accde, .accdb, .sldm, .sldx, .drf, .blend, .apj, .3ds, .dwg, .sda, .ps, .pat, .fxg, .fhd, .fh, .dxb, .drw, .design, .ddrw, .ddoc, .dcs, .wb2, .psd, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .pl, .py, .lua, .css, .js, .asp, .php, .incpas, .asm, .hpp, .h, .cpp, .c, .csl, .csh, .cpi, .cgm, .cdx, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .cdr, .awg, .ait, .ai, .agd1, .ycbcra, .x3f, .stx, .st8, .st7, .st6, .st5, .st4, .srw, .srf, .sr2, .sd1, .sd0, .rwz, .rwl, .rw2, .raw, .raf, .ra2, .ptx, .pef, .pcd, .orf, .nwb, .nrw, .nop, .nef, .ndd, .mrw, .mos, .mfw, .mef, .mdc, .kdc, .kc2, .iiq, .gry, .grey, .gray, .fpx, .fff, .exf, .erf, .dng, .dcr, .dc2, .crw, .craw, .cr2, .cmt, .cib, .ce2, .ce1, .arw, .3pr, .3fr, .mdb, .sqlitedb, .sqlite3, .sqlite, .sql, .sdf, .sav, .sas7bdat, .s3db, .rdb, .psafe3, .nyf, .nx2, .nx1, .nsh, .nsg, .nsf, .nsd, .ns4, .ns3, .ns2, .myd, .kpdx, .kdbx, .idx, .ibz, .ibd, .fdb, .erbsql, .db3, .dbf, .db-journal, .db, .cls, .bdb, .al, .adb, .backupdb, .bik, .backup
Once the encryption process is complete, the ransomware creates and loads up an extortion message in which it purports itself to be Locky.
Unlike Locky, however, AutoLocky does not use Tor for its command and control (C&C) servers. It is also written in the AutoIt scripting language rather than Visual C++, a programming choice which has proven to be the ransomware’s downfall.
After reviewing its AutoIt decompiled script, Fabian Wosar, the security researcher who also developed a tool to help victims of the Petya ransomware decrypt their files, has created a downloadable decryption tool that victims can use to restore access to their files.
Looks like Locky has its first copycat. Crudely done in AutoIt with a laughable flaw. Decrypter is available here: https://t.co/c9EoAVSMPm
— Fabian Wosar (@fwosar) April 16, 2016
Once victims have terminated AutoLocky’s process and startup link, they can use the decryption tool (available on Emsisoft’s website) to specify which locations they want to decrypt.
If you have been affected by AutoLocky, I recommend that you use Wosar’s tool to decrypt your files as soon as possible. Whenever a crypto-ransomware decryption tool is created, you never know if the malware authors might be savvy and irate enough to patch their code for weaknesses, which could prevent the tool from working in the near-future. With that in mind, all victims should make use of the tool sooner rather than later.
If the decryption tool doesn’t work in the future, there’s still hope users can recover their files.
At this time, AutoLocky does not delete the Shadow Volume Copies on an infected computer, which means a user could recover their files via the use of Shadow Copy restore software. Most solutions might not be able to recover all of a user’s files, but they could in the very least recover some.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
7 comments on “Decryption tool released for Locky ransomware impersonator”
good day, does anyone have solution for .locky files ?
Cihan, delete them.
As you can read in the article, there is no decrypter for locky (yet?)
ok but why i have to delete ?
I have read about Locky ransomware removal at systweak blog too. I found there very nice information.
As known recently most of users have been infected ransomware virus which changes all important documents like (pdf,doc,docx, xls,xlsx,dwg,mp3,mp4,mpeg,avi,vb) to ".vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc, .xxx, .ttt, .micro, .mp3, .xtbl, .cerber, .enc, .encrypted" and no extension on last version" are encrypted and not usable/readable unfortunately. I can help infected users to decrypt their files, you can contact with me with below email address if you or one of your friend had been infected this kind of virus.
Email: [email protected]
The removal of the actual virus is not that hard, I managed to remove it by using an Anti-Malware called MalwareFox. However the decryption/data restoration can be a huge pain, not to mention that it's impossible to restore your files if you have an SSD, or so I've heard.