A decryption tool has been released for a crypto-malware variant that loves to impersonate the now-infamous Locky ransomware.
At this time, it is not known how AutoLocky, an apparent wannabe of the Locky ransomware, is being distributed.
As it uses an Adobe PDF icon, Lawrence Abrams of Bleeping Computer reasons that AutoLocky could be circulating as a fake email attachment. Abrams goes on to note that AutoLocky shares Locky’s habit of changing the file extension to .locky:
“Once installed, AutoLocky will scan all fixed drives for targeted data files and encrypt them using the AES-128 algorithm. When a file is encrypted, the ransomware will append the .locky extension on to the filename.”
The list of file types targeted by AutoLocky is extensive, maximising its opportunities to wreak havoc for users who have not backed up their data securely:
.docm, .docx, .dot, .doc, .txt, .xls, .xlsx, .xlsm, .7z, .zip, .rar, .jpeg, .jpg, .bmp, .pdf, .ppsm, .ppsx, .ppam, .potm, .potx, .pptm, .pptx, .pps, .pot, .ppt, .xlw, .xll, .xlam, .xla, .xlsb, .xltm, .xltx, .xlm, .xlt, .xml, .dotm, .dotx, .odf, .std, .sxd, .otg, .sti, .sxi, .otp, .odg, .odp, .stc, .sxc, .ots, .ods, .sxg, .stw, .sxw, .odm, .oth, .ott, .odt, .odb, .csv, .rtf, .accdr, .accdt, .accde, .accdb, .sldm, .sldx, .drf, .blend, .apj, .3ds, .dwg, .sda, .ps, .pat, .fxg, .fhd, .fh, .dxb, .drw, .design, .ddrw, .ddoc, .dcs, .wb2, .psd, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .pl, .py, .lua, .css, .js, .asp, .php, .incpas, .asm, .hpp, .h, .cpp, .c, .csl, .csh, .cpi, .cgm, .cdx, .cdrw, .cdr6, .cdr5, .cdr4, .cdr3, .cdr, .awg, .ait, .ai, .agd1, .ycbcra, .x3f, .stx, .st8, .st7, .st6, .st5, .st4, .srw, .srf, .sr2, .sd1, .sd0, .rwz, .rwl, .rw2, .raw, .raf, .ra2, .ptx, .pef, .pcd, .orf, .nwb, .nrw, .nop, .nef, .ndd, .mrw, .mos, .mfw, .mef, .mdc, .kdc, .kc2, .iiq, .gry, .grey, .gray, .fpx, .fff, .exf, .erf, .dng, .dcr, .dc2, .crw, .craw, .cr2, .cmt, .cib, .ce2, .ce1, .arw, .3pr, .3fr, .mdb, .sqlitedb, .sqlite3, .sqlite, .sql, .sdf, .sav, .sas7bdat, .s3db, .rdb, .psafe3, .nyf, .nx2, .nx1, .nsh, .nsg, .nsf, .nsd, .ns4, .ns3, .ns2, .myd, .kpdx, .kdbx, .idx, .ibz, .ibd, .fdb, .erbsql, .db3, .dbf, .db-journal, .db, .cls, .bdb, .al, .adb, .backupdb, .bik, .backup
Once the encryption process is complete, the ransomware creates and loads up an extortion message in which it purports itself to be Locky.
Unlike Locky, however, AutoLocky does not use Tor for its command and control (C&C) servers. It is also written in the AutoIt scripting language rather than Visual C++, a programming choice which has proven to be the ransomware’s downfall.
After reviewing its AutoIt decompiled script, Fabian Wosar, the security researcher who also developed a tool to help victims of the Petya ransomware decrypt their files, has created a downloadable decryption tool that victims can use to restore access to their files.
Looks like Locky has its first copycat. Crudely done in AutoIt with a laughable flaw. Decrypter is available here: https://t.co/c9EoAVSMPm
— Fabian Wosar (@fwosar) April 16, 2016
Once victims have terminated AutoLocky’s process and startup link, they can use the decryption tool (available on Emsisoft’s website) to specify which locations they want to decrypt.
If you have been affected by AutoLocky, I recommend that you use Wosar’s tool to decrypt your files as soon as possible. Whenever a crypto-ransomware decryption tool is created, you never know if the malware authors might be savvy and irate enough to patch their code for weaknesses, which could prevent the tool from working in the near-future. With that in mind, all victims should make use of the tool sooner rather than later.
If the decryption tool doesn’t work in the future, there’s still hope users can recover their files.
At this time, AutoLocky does not delete the Shadow Volume Copies on an infected computer, which means a user could recover their files via the use of Shadow Copy restore software. Most solutions might not be able to recover all of a user’s files, but they could in the very least recover some.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.