Decrypter Available for AutoLocky, Locky Ransomware Copycat

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Fabian Wosar, Emsisoft's top malware analyst, has put together a decrypter for a new ransomware variant named AutoLocky, a copycat of the more famous and dangerous Locky ransomware that appeared at the start of 2016.

AutoLocky, which was spotted for the first time only about a month ago, is written in the AutoIt scripting language, hence its name.

"The malware itself installs itself by creating a link to itself inside the Start Menu StartUp folder named 'Start.lnk'," Mr. Wosar told Softpedia. If the user clicks the link, the ransomware starts encrypting his files with "AES 128 bit encryption using a key derived using MD5 from an alpha numeric password."

AutoLocky uses strong encryption...
The decryption is then sent to the C&C (command and control) server while ransom notes in the form of text and HTML files (see attached gallery) are dropped on the user's computer. Below is a list of the 217 file types AutoLocky targets for encryption.

docm,docx,dot,doc,txt,xls,xlsx,xlsm,7z,zip,rar,jpeg,jpg,bmp,pdf,ppsm,ppsx,ppam,potm,potx,pptm,pptx,pps,pot,ppt,xlw,xll,xlam,xla,xlsb,xltm,xltx,xlm,xlt,xml,dotm,dotx,odf,std,sxd,otg,sti,sxi,otp,odg,odp,stc,sxc,ots,ods,sxg,stw,sxw,odm,oth,ott,odt,odb,csv,rtf,accdr,accdt,accde,accdb,sldm,sldx,drf,blend,apj,3ds,dwg,sda,ps,pat,fxg,fhd,fh,dxb,drw,design,ddrw,ddoc,dcs,wb2,psd,p7c,p7b,p12,pfx,pem,crt,cer,der,pl,py,lua,css,js,asp,php,incpas,asm,hpp,h,cpp,c,csl,csh,cpi,cgm,cdx,cdrw,cdr6,cdr5,cdr4,cdr3,cdr,awg,ait,ai,agd1,ycbcra,x3f,stx,st8,st7,st6,st5,st4,srw,srf,sr2,sd1,sd0,rwz,rwl,rw2,raw,raf,ra2,ptx,pef,pcd,orf,nwb,nrw,nop,nef,ndd,mrw,mos,mfw,mef,mdc,kdc,kc2,iiq,gry,grey,gray,fpx,fff,exf,erf,dng,dcr,dc2,crw,craw,cr2,cmt,cib,ce2,ce1,arw,3pr,3fr,mdb,sqlitedb,sqlite3,sqlite,sql,sdf,sav,sas7bdat,s3db,rdb,psafe3,nyf,nx2,nx1,nsh,nsg,nsf,nsd,ns4,ns3,ns2,myd,kpdx,kdbx,idx,ibz,ibd,fdb,erbsql,db3,dbf,db-journal,db,cls,bdb,al,adb,backupdb,bik,backup

The crooks ask for 0.75 Bitcoin (~$325), and based on some of the Bitcoin addresses seen in ransom notes, some users appear to have ended up paying.

In all ransom notes, AutoLocky uses the Locky moniker, but this is only to frighten users who might Google the term and realize that Locky is undecryptable and they might need to pay the ransom to recover their files.

A better way for victims would be to use the ID Ransomware website where they can upload a ransom note and an encrypted file, and the website will tell them the exact name of the ransomware. ID Ransomware can accurately differentiate between Locky and AutoLocky.

... but there's a way around it
Luckily, Mr. Wosar found a flaw in AutoLocky and was able to put together a decrypter to help users out. You can download the decrypter from Emsisoft's website.

After you launch it, the decrypter will do its magic and get you the decryption key needed to unlock your files. Once you get the key, the decrypter's GUI will kick in, and then you can select the location of your encrypted files, and start the decrypter to start the decryption process.

Just be mindful to test the validity of the decryption key on one file first. Additionally, it may be a good idea to create a copy of your encrypted files and test the decryption process on those. Happy decrypting!
decrypter-available-for-autolocky-locky-ransomware-copycat-503053-8.jpg
 

soccer97

Level 11
Verified
May 22, 2014
517
I was reading that these Encrypting Trojan/Ransomware authors hate Emsisoft, because they are able to crack the software and decrypt people's computers.

Thank You Emsisoft and Fabian Wosar. You are providing a much needed ad valuable public service. I hope that many people purchase your software.

I like Emsisoft and this proves that they provide pretty good protection. :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top