• Tag Archives Locky Decrypter
  • Using DNS to weaken Locky ransomware threat

    Ransomware and other cyberthreats often go unseen by traditional detection methods like antivirus, deep packet inspection (DPI) or sandboxing. In fact, a report by Lastline Labs indicates that 51% of zero-day malware—threats that strike before developers have time to release a patch—is undetected by anti-virus solutions. So what can security professionals do to stop attacks? The answer lies, in part, in DNS.

    One of the most powerful ransomware threats currently targeting individuals and organizations is Locky, which infects up to 100,000 devices per day, of which 3% submit payments. Cybersecurity experts estimate that Locky possesses 17% of the entire global market share for all ransomware infections.

    First, let’s look at a few statistics that demonstrate the power and expense of Locky:

    Locky is typically delivered through aggressive spam campaigns, often claiming to be an invoice. Despite the known dangers of clicking on links in unknown emails, Locky is so sly it entices even trained IT staff to click on obscure messages and activate downloads.

    Once a download has completed, Locky connects with its Command & Control (C&C) server to get a cryptographic key to use for encryption. There are three known mechanisms for Locky to reach its C&C hosts:

    1. Direct IP communication
    2. A number of fixed domains
    3. A time-based Domain Generation Algorithm (DGA) that creates a set of random-looking domains that are only valid for a few days

    Here is where DNS can play a role. DNS data can be analyzed to identify C&C connection mechanisms. When these communications are blocked, Locky’s ability to obtain encryption keys is limited, giving infected users a better chance of being protected.

    Unfortunately, the DGA used by Locky to generate domains and get encryption keys is marked with the current time period combined with a secret seed, making it harder to block new domains quickly. Locky changes seeds frequently, and reverse engineering current versions of the malware to discover each new seed takes time. Every new seed indicates another wave in the life of the exploit, so until there is an accurate way to identify traffic associated with Locky, it can’t be permanently blocked.

    But examination of a worldwide feed of anonymized DNS queries, along with anomaly detection and correlation technology, makes it possible to identify suspected domains used by Locky to download encryption keys in real time. ForcePoint is one company that has done some work to reverse engineer the DGA used by Locky. By using the existing DGA and conducting some additional processing of suspect domains, it is possible to determine new seeds used by Locky, thereby enumerating all future new domains Locky will use.

    Below is a sampling of more recent domains created by Locky as detected by our DNS algorithms:

    • mrjuvawlwa[.]xyz
    • uydvrqwgg[.]su
    • uwiyklntlxpxj[.]work
    • owvtbqledaraqq[.]su
    • udfaexci[.]ru
    • eabfhwl[.]ru
    • olyedawaki[.]pl
    • uxwfukfqxhydqawmf[.]su
    • ikdcjjcyjtpsc[.]work
    • wrbwtvcv[.]su
    • osxbymbjwuotd[.]click
    • qtuanjdpx[.]info

    As Locky and other types of ransomware become more adept at avoiding detection and remediation, new strategies need to be used to combat them. Many of the new cyberthreat strategies make traditional malware block lists less effective. Facing DGAs with fast-changing seeds, security researchers must constantly identify the new seeds used by each wave of phishing to pre-generate domains. Once new seeds are released the old ones immediately become obsolete.

    By utilizing a broad set of DNS query data, it is possible to detect and track the evolution of generated domains through a variety of algorithmic methods such as clustering, reputation scoring, reverse engineering and additional methods that continuously evolve. Recent innovations include anomaly detection algorithms, new domain clustering and a Domain Reputation System that resulted in almost 100,000 domains and C&Cs provisioned daily for blocking.

    By employing these advanced methods, suspicious domains can be detected with a high level of accuracy very quickly, and false positives can also be weeded out so good traffic can still reach legitimate sites. Currently, this is the best defense against Locky. Service providers and companies can use this technique to protect their online users from having their files encrypted, and identify machines that have been infected.

    Locky provides ample evidence that attackers are continuously innovating. Staying one step ahead requires cybersecurity expertise and real-time processing of massive, worldwide data sets to uncover malicious activity. Blocking traffic to these domains is a good way to avoid the threat of Locky, and expert security teams that take the right steps to understand its behavior and put appropriate measures in place to protect would-be victims will render cyberthreats much less effective.


  • Ransomeware Decrypters Available Decryption Service – Decryptor Download Decrypt Files

    New version of ODCODCDecoder Released Download Decrypter

    BloodDolly has released a new version of his ODCODC Ransomwaredecryptor. The decryptor can be downloaded from.

    Emsisoft Decrypter for Marlboro Download Decrypter

    The Marlboro ransomware was first seen on January 11th, 2017. It is written in C++ and uses a simple XOR-based encryption algorithm. Encrypted files are renamed to “.oops”. The ransom note is stored inside a file named “_HELP_Recover_Files_.html” and includes no further point of contact.

    Due to a bug in the malware’s code, the malware will truncate up to the last 7 bytes from files it encrypts. It is, unfortunately, impossible for the decrypter to reconstruct these bytes.

    To use the decrypter, you will require an encrypted file of at least 640 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable.

    Decryptor released for the Merry Christmas or Merry X-Mas Ransomware Download Decrypter

    Fabian Wosar has done it again and released a decryptor for the files encrypted by the Merry Christmas or Merry X-Mas Ransomware. These files will have the extensions .PEGS1, .MRCR1, .RARE1, .RMCM1 appended to them.

    Crypt38Decrypter Download Download Decrypter

    BitStakDecrypter Download Download Decrypter

    lphaDecrypter Download Download Decrypte

    Unlock92Decrypter Download Download Decrypter

    Hidden Tear Decrypter Download Download Decrypter

    Hidden Tear BruteForcer Download Download Decrypter

    PowerLockyDecrypter Download Download Decrypter

    GhostCryptDecrypter Download Download Decrypter

    MicroCop Decryptor Download Download Decrypter

    Jigsaw Decrypter Download Download Decrypter

    Rannoh Decryptor (updated 20-12-2016 with CryptXXX v3) Download Decrypter

    RannohDecryptor tool is designed to decrypt files encrypted by:

    • CryptXXX versions 1, 2 and 3.
    • Marsjoke aka Polyglot;
    • Rannoh;
    • AutoIt;
    • Fury;
    • Crybola;
    • Cryakl;

    Globe3 Decryptor Download Decrypter
    The tool is designed to decrypt files encrypted by Globe3 Ransomware.

    Derialock Decryptor Download Decrypter
    Derialock decryptor tool is designed to decrypt files encrypted by Derialock

    PHP Ransomware Decryptor Download Decrypter
    PHP ransomware decryptor tool is designed to decrypt files encrypted by PHP ransomware

    WildFire Decryptor Download Decrypter
    WildfireDecryptor tool is designed to decrypt files encrypted by Wildfire

    Chimera Decryptor Download Decrypter
    ChimeraDecryptor tool is designed to decrypt files encrypted by Chimera

    Teslacrypt Decryptor Download Decrypter
    TeslaDecryptor can decrypt files encrypted by TeslaCrypt v3 and v4

    Shade Decryptor Download Decrypter
    ShadeDecryptor can decrypt files with the following extensions: .xtbl, .ytbl, .breaking_bad, .heisenberg.

    CoinVault Decryptor Download Decrypter

    The CoinVault decryption tool decrypts files encrypted by Coinvault and Bitcryptor.

    Rakhni Decryptor (updated 14-11-2016) Download Decrypter

    RakhniDecryptor tool is designed to decrypt files encrypted by:

    • Crysis;
    • Chimera;
    • Rakhni;
    • Agent.iih;
    • Aura;
    • Autoit;
    • Pletor;
    • Rotor;
    • Lamer;
    • Lortok;
    • Cryptokluchen;
    • Democry;
    • Bitman (TeslaCrypt) version 3 and 4.

    Trend Micro Ransomware File Decryptor Download Decrypter

    Supported Ransomware Families

    The following list describes the known ransomware-encrypted files types can be handled by the latest version of

    the tool.

    Ransomware

    File name and extension

    CryptXXX V1, V2, V3*

    {original file name}.crypt, cryp1, crypz, or 5 hexadecimal characters

    CryptXXX V4, V5

    {MD5 Hash}.5 hexadecimal characters

    Crysis

    .{id}.{email address}.xtbl, crypt

    TeslaCrypt V1**

    {original file name}.ECC

    TeslaCrypt V2**

    {original file name}.VVV, CCC, ZZZ, AAA, ABC, XYZ

    TeslaCrypt V3

    {original file name}.XXX or TTT or MP3 or MICRO

    TeslaCrypt V4

    File name and extension are unchanged

    Rating:

    485 found this helpful

    Category:

    Troubleshoot

    Solution Id:

    1114221

    13/12/2016, 22)42

    Using the Trend Micro Ransomware File Decryptor Tool

    Page 2 of 6

    https://success.trendmicro.com/solution/1114221#

    #

    TeslaCrypt V4

    File name and extension are unchanged

    SNSLocker

    {Original file name}.RSNSLocked

    AutoLocky

    {Original file name}.locky

    BadBlock

    {Original file name}

    777

    {Original file name}.777

    XORIST

    {Original file name}.xorist or random extension

    XORBAT

    {Original file name}.crypted

    CERBER V1

    {10 random characters}.cerber

    Stampado

    {Original file name}.locked

    Nemucod

    {Original file name}.crypted

    Chimera

    {Original file name}.crypt

    LECHIFFRE

    {Original file name}.LeChiffre

    MirCop

    Lock.{Original file name}

    Jigsaw

    {Original file name}.random extension

    Globe/Purge

    V1: {Original file name}.purge

    V2: {Original file name}.{email address + random characters}

    V3: Extension not fixed or file name encrypted

    DXXD

    V1: {Original file name}.{Original extension}dxxd

    Teamxrat/Xpan

    V2: {Original filename}.__xratteamLucked

    Crysis

    .{id}.{email address}.xtbl, crypt

    NMoreira Decryptor download
    The tool is designed to decrypt files encrypted by NMoreira Ransomware.

    Ozozalocker Decryptor download
    The tool is designed to decrypt files encrypted by Ozozalocker Ransomware.

    Globe Decryptor download
    The tool is designed to decrypt files encrypted by Globe Ransomware.

    Globe2 Decryptor download
    The tool is designed to decrypt files encrypted by Globe2 Ransomware.

    FenixLocker Decryptor download
    The tool is designed to decrypt files encrypted by FenixLocker Ransomware.

    Philadelphia Decryptor download
    The tool is designed to decrypt files encrypted by Philadelphia Ransomware.

    Stampado Decryptor download
    The tool is designed to decrypt files encrypted by Stampado Ransomware.

    Xorist Decryptor download
    The tool is designed to decrypt files encrypted by Xorist Ransomware.

    Nemucod Decryptor download
    The tool is designed to decrypt files encrypted by Nemucod Ransomware.

    Gomasom Decryptor download
    The tool is designed to decrypt files encrypted by Gomasom Ransomware.

    Linux.Encoder Decryptor download

    Decryption tools have been designed for infections of the Linux.Encoder.1 and Linux.Encoder.3 ransomware