However, if we run it on a connected machine, it beacons to its CnC. The malware is capable of encrypting without an Internet connection. Looking at the changes made in the registry, we found more data left there by the ransomware, such as the unique ID of the victim: After looking inside the code, we will know more about it. It may also look like a file encrypted by stream ciphers (or any ciphers in CBC mode). Our initial assessment of the image was that the authors didn’t use a trivial XOR here. The example below shows a BMP file before and after encryption: Looking inside the encrypted files, we saw that they have pretty high entropy. Which pops up at the end of the execution. The ransom note is dropped as a TXT file: The random ID is also a part of the name. The names of the encrypted files are obfuscated-first encrypted and then converted to base64. During the process, it enumerates and tries to terminate all running applications so that they will not be blocking access to the attacked files. This ransomware encrypts all the files it can possibly reach. It also adds persistence using a registry key: Once it is run, it deletes the original sample and drops itself in C:\Windows under the name wwvcm.exe: Due to the fact that it is deployed manually by attackers, it doesn’t use any tricks or exploits to automatically elevate its privileges. In order to execute properly, the malware must be run as an Administrator. As we could easily guess, it introduced weaknesses to the code, along with the possibility to recover the data in some cases. Our investigation led to some interesting findings, especially when we discovered that the ransomware authors decided to ignore popular advice not to roll your own crypto. Since it is spread via RDP brute-force attacks that must be manually installed, it has never been a massive threat-and therefore had never been described in detail.īut recently we were contacted by some victims of LockCrypt, so we decided to take a closer look. However, a lesser-known family called LockCrypt has been creeping around under the radar since June 2017. There have been new variants popping up every couple of months, peering rather shyly around the corner.Īt the moment, the most popular ransomware is GandCrab. However, ransomware is not giving up the field so fast. They so overwhelmingly dominated the landscape that it looked like no other threat had a chance. At the start of the year, it seemed that 2018 was going to be all about cryptominers.