Free Dr.Web utility restores files encrypted by Android.Locker.2.origin ransomware

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
Russian anti-virus company Doctor Web has released a free Dr.Web utility that decrypts files corrupted byAndroid.Locker.2.originransomware. Once an Android handheld is infected, the malicious program encrypts photos, documents, videos and other information stored on the SD card, locks the device's screen and demands a ransom to restore it to normal operation. To counter this threat, users of Dr.Web comprehensive protection software for Android can now request the utility from Doctor Web's technical support.

Discovered in May, the extortionist Android.Locker.2.origin poses extreme danger to user data. On an infected mobile device, the extortionist searches the available memory cards for files with the following extensions: .jpeg, .jpg, .png, .bmp, .gif, .pdf, .doc, .docx, .txt, .avi, .mkv, and .3gp. It encrypts the files and adds the extension .enc to the filenames. Then the mobile device's screen is locked, and a message is displayed that accuses the user of distributing adult content and demands a ransom to unlock the device. To enhance the effect, the extortionist can also add a photo of the user, made with the handheld's front camera, to the ransom demand message.


After thoroughly examining the ransomware, Doctor Web designed a special utility that will most likely decrypt files corrupted by the malicious application, making it unnecessary for users to pay a ransom.

The utility scans the available SD card for encrypted files and attempts to restore one of them as a test. If successful, the program starts restoring all the corrupted files it has found. Backups of all the corrupted files are placed in the directory DrWebTemp before the utility attempts to decrypt them. All the recovered files are restored to their original location and the extension .enc is removed from their filenames. To avoid permanent data loss after the utility finishes its work, the directory DrWebTemp, which contains copies of the encrypted files, is not removed.


If your handheld has been compromised by Android.Locker.2.origin, follow these steps:

  • Do not try to restore the encrypted data on your own;
  • Contact Doctor Web's technical support. When filing a request, select ‘Cure request’ (this service is available free of charge);
  • Attach a file encrypted by the ransomware to your request;
  • Wait for a response from a virus analyst.
Please note that the decryption service is only available to users who have purchased commercial licenses for Doctor Web anti-viruses. To get the utility, you have to be an owner of a commercial Dr.Web for Android, Dr.Web Security Space or Dr.Web Anti-virus license which includes technical support.

To ensure that your mobile device is continually protected from Android.Locker.2.origin and other Android threats, purchase Dr.Web for Android with advanced security features.
Source
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top