Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

LockCrypt Ransomware (.<Original Extension> ID <Random>.BadNews)

  • Distribution Method : Unknown
  • MD5 : 920b64dadd297c7cced6b9715bcb8999
  • Major Detection Name : Trojan.Ransom.MrDec (ALYac), Gen:Win32.AV-Killer.amW@aC6nWjc (BitDefender)
  • Encrypted File Pattern : .<Original Extension> ID <Random>.BadNews
  • Malicious File Creation Location :
     - C:\Windows\clerlog.bat
     - C:\Windows\searchfiles.exe
     - C:\How To Decode Files.hta
  • Payment Instruction File : How To Decode Files.hta
  • Major Characteristics :
     - Offline Encryption
     - DXXD / MrDec Ransomware series
     - Encryption starts after killing all process except listed in whitelist processes
     - Turns off User Access Control (UAC)
     - Disable system restore (vssadmin delete shadows /all)
     - Deletes event log (wevtutil.exe cl "Analytic", wevtutil.exe cl "Application", wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", wevtutil.exe cl "Security", wevtutil.exe cl "System", wevtutil.exe cl "Windows PowerShell" etc.)
     - Displays ransom note (C:\Windows\SysWow64\mshta.exe "c:\How To Decode Files.hta") when user executes encrypted file (.<Original Extension> ID <Random>.BadNews)