LockCrypt and the Attack on Mecklenburg County, NC

Some of you have heard about yesterday’s ransomware attack in Mecklenburg County, North Carolina (a municipality in the Southeastern United States). LockCrypt, a variant that is believed to have evolved out of the Satan ransomware, is responsible. You can read a more in the headlines here (International Business Times) and here (USA Today), but the attackers are demanding 2 Bitcoins for the files to be decrypted (which is approximately $26,000 at the time of this article). County administrators have not yet ruled out paying the ransom.

So why is this one worth writing about? LockCrypt is nasty, and quite sophisticated. This one is likely to continue doing damage for quite some time to come.

Let’s cover the standard set of technical details first. LockCrypt creates a unique AES-256 encryption/decryption key for every victim. This key is tracked by assigning a unique ID number. That means that even if you or a colleague pay to decrypt files on one machine, you can’t use those keys to decrypt files on another machine. Early strains of ransomware often did not take this step, which is how the community was able to make so many decryptors early on. The bad news here is that if find your files encrypted by LockCrypt, you’re unlikely to be able to get help cracking that encryption.

How do you get your files back if you pay? LockCrypt sends the AES-256 key associated with your ID to a server. If you decide to pay the ransom, you provide the ID and the attackers will allegedly give you back the right key and a means of using it (a “decryptor” program). Based on the IP address, the server appears to be located in Tehran, Iran; however, as we always caution our readers, that does not necessarily mean that the attackers are located there. Instead, they may simply have attacked and compromised a machine in that location, making it very difficult to determine who and where they actually are.

LockCrypt appears to spread largely via the Remote Desktop Protocol (RDP), which means that if you have one machine that is vulnerable, you likely have many. The attackers behind LockCrypt appear to be attempting to “brute force” their way into machines, which is just a technical term for “scan the entire Internet and see which unprotected machines let them execute their ransomware”. However, USA Today claims that this particular infection arrived via email, and a single user opening this malicious attachment appears to have been enough for LockCrypt to spread throughout the entire organization (~50 machines appear to have been infected).

LockCrypt is Nasty

All of this is bad enough, but it’s what comes next makes LockCrypt really nasty. LockCrypt attempts to attack your defenses. Running anti-virus software? LockCrypt tries to kill it. Only after LockCrypt has gutted your defenses does it try to encrypt your files. Here’s a copy of the ransom note victims receive (with the ID changed):

LockCrypt Ransom Note

Ok – so how did CryptoDrop fare against LockCrypt? Not a single file was encrypted. Why? While LockCrypt attempts to kill lots of non-Windows processes, we built extra defenses into CryptoDrop to make it difficult to turn off our software. While we did this in the early phases of our design process, it was done precisely for days like this. Even with administrative access, LockCrypt simply does nothing to your files if CryptoDrop is installed.

Task Manager

County operations in Mecklenburg, North Carolina are likely to be severely disrupted over the coming days. Even if the county managed not to lose any data, the cost of rebuilding their infrastructure will be significant in both time and dollars. What city or business has the time and resources to drop all of there regular tasks for an unplanned rebuilding their IT infrastructure?

It’s not enough to hope that the bad guys won’t hit you – LockCrypto is out there actively scanning for you. And it’s not the only one. The bad guys are writing increasingly sophisticated ransomware, and protecting yourself before they hit is absolutely critical.

CryptoDrop has stopped every sample of ransomware we’ve ever seen, and done so on the first time we’ve seen it. Our patent-pending approach is fundamentally different than what traditional anti-virus software provides. Best of all, you can try it for free. Help protect your data, and help our start-up bring game changing technology to the fight against ransomware.

We’re CryptoDrop. We Stop Ransomware.



Leave a Reply

Your email address will not be published. Required fields are marked *