LockCrypt 2.0 BDKR Ransomware: What To Do If You’re Infected

Graphic for Tetra Defense Ransomware 101: LockCrypt 2.0

What is LockCrypt Ransomware?

LockCrypt 2.0 is an updated ransomware strain first discovered in September 2018, based in part on the original LockCrypt, which was identified back in June 2017. The original LockCrypt malware had one major flaw – it was easy to decrypt the data following infection. The newer version of LockCrypt uses AES256 and RSA-2048 to encrypt files with a “.BDKR” file extension, whereas the older version used different file extensions including: .bi_d, .bit and .mich.

The relatively easy decryption and removal of the original strain prompted the malware software engineers to rewrite LockCrypt 2.0 to combat the initial weaknesses. LockCrypt 2.0 is a newer version of the malware that spreads via Remote Desktop Protocol (RDP) brute force attacks. This threat is still very relevant today due to the proliferation of open and poorly secured RDP terminal servers available on the Internet.

LockCrypt 2.0 ransomware has been linked to criminals inside Iran. When the infection starts, the malware checks-in with a command and control (CnC) server based in Tehran. There is also evidence suggesting that the threat actors deliberately target enterprise organizations for rapid financial gain. There is no information within the ransom note indicating the cost of the ransom; instead, the hackers demand you contact them immediately after infection to discuss terms.

LockCrypt 2.0 is considered to be somewhat poorly designed malware. Malwarebytes states that LockCrypt is simple malware, created and used by unsophisticated attackers, describing it as being written in sloppy and unprofessional code. There are reports of the DECODE.KEY file not generating correctly after encryption, meaning that on occasion, it is impossible for anyone to later decrypt the victims’ files – even the hackers themselves!

How Does LockCrypt 2.0 Ransomware Work?

Rather than spreading the LockCrypt 2.0 through malware-infected email attachments using spamming campaigns, LockCrypt 2.0 is installed manually onto a compromised computer, generally, one that the hacker has already successfully exploited using the Remote Desktop Protocol brute force attack.

Attackers accomplish the initial compromise by using a botnet farm – a collection of compromised computers that are all exploited – to constantly attack RDP sessions. The attacks use dictionary files of known username and password combinations. Validated RDP credentials can also be found for sale on the dark web if attackers are willing to pay for verified information.

Cloud service providers, such as Google, AWS, and Azure, can provide RDP connectivity to any hosted public IP address over the public internet. Any Internet user would be able to access any computer configured publicly if that user knew the IP address, the username, and the password. Problems arise when unknowledgeable or lazy system administrators fail to enforce best practice password policies and use passwords that are guessable or easily hacked. If a weak password is used to protect the RDP session, it may only take a few seconds to exploit the connection to gain access.

After remote access is confirmed, the malware is copied over the connection and executed using administrator privileges. Registry alterations are made to cause the malicious application to start every time Windows starts, and the encryption process targets all files it can reach, generally including anything that is not in current use by the operating system.

All encrypted file names are obfuscated after encryption, making it impossible to know what the original file was. After the encryption process completes, the malware opens Notepad with a ransomware note. The note contains the victim ID, which can identify you to the hackers, and instructions on how to pay the ransom. As with most ransomware, payment is demanded in bitcoin to a bitcoin wallet.

How Do I Prevent LockCrypt 2.0 Ransomware?

LockCrypt ransomware, similar to Phobos, Dharma, and CrySis, uses brute force attacks on RDP. We highly recommend reviewing all public facing servers and ensuring that a robust password is configured by default, and no RDP connection is left unprotected in error.

The RDP port (3389) should be blocked by default on a perimeter firewall, and RDP should only be in use when necessary. The server must be patched, updated, and security hardened.

If the server is provisioned on public cloud services, strict access controls should be configured, ensuring that IP access is restricted to predefined IP addresses only. All other port 3389 requests should be dropped at the firewall level.

Any server using RDP must have the Network Level Authentication (NLA) feature enabled under advanced RDP settings. Enabling this option will force the server to authenticate with Active Directory before approving an RDP log on. This way, only approved business users are given access. Allowing connections only from computers running NLA is a secure authentication method that can protect against malicious users and software.

Never forward RDP ports through a perimeter firewall; RDP access to a corporate network should be over a secured VPN tunnel that utilizes multi-factor authentication for added security. This method ensures that the firewall immediately drops any RDP packets, and the internal network is safe.

How Do I Remove LockCrypt 2.0 Ransomware?

The original LockCrypt had a flaw in its encryption method, and malware researchers were able to develop and distribute decryption tools for victims quickly. However, with LockCrypt 2.0, there is no method yet discovered to break the encryption. Some malware researchers note that the distributors were uninterested in providing victims with their data even after payment.

As with all malware, unless you have viable, uninfected backups, restoring the server to its original state is a difficult task. Potentially, you may be able to roll back files using Windows VSS shadow copies, if you have that feature enabled. You may also be able to roll back using a system restore point.

If you are in the difficult position of not having a backup and you urgently need your files back, then you must contact the incident response experts at Tetra Defense. We prioritize data restoration to get businesses back to where they were before the ransomware attack.

We approach ransomware restoration and investigations simultaneously so you can return to normal business operations while you are getting answers. Our teams are standing by to focus on what matters most: your business!

We survey the ransomware outbreak and perform an initial assessment; this will identify the best course of action to fix the ransomware attack. If determined to be necessary, we can conduct ransom negotiation and can facilitate ransom payments when no other options are available.

We remove the threat from your system and conduct malware scans and network threat hunting. Each incident is leveraged to learn from the ransomware attack and discover the root cause. Once the decryption keys are obtained, we decrypt the data and get systems restored to full functionality as quickly as possible.

Example of LockCrypt 2.0 Ransom Note

Screenshot of LockCrypt 2.0 ransom note

Get Help with LockCrypt 2.0 Ransomware

If you’re ready to get help removing LockCrypt 2.0 ransomware from your critical systems, contact our incident response team today. We will reach out for an assessment and build a plan to get your systems up and running once again.

Source information can be found here.

Check out some related content on our blog: