"Stupid" Locky RansomwareMalware & Forensics

Begin Learning Cyber Security for FREE Now!

Already a Member Login Here

Home Forums Malware & Forensics "Stupid" Locky Ransomware

This topic contains 25 replies, has 26 voices, and was last updated by  wisdom-david 2 years, 6 months ago.

Viewing 20 posts - 1 through 20 (of 26 total)
  • Author
  • #56791


    Hey Cybrarians!

    Check this article out: http://www.infosecurity-magazine.com/news/hackers-replace-ransomware-with/

    TLDR: A White-hat hacker broke into a Locky ransomware command and control server and replaced the payload with a dummy file.


    M G

    Thanks mate



    Yeah, I saw that “STUPID LOCKY” file already a few months ago, investigating a ransomeware-infection. My initial thought was that the webmaster of that site replaced the malware with the text-file, but since it’s happening on a variety of webserver, it looks like somebody is hacking those hacked websites this group uses for spreading their malware…

    • This reply was modified 4 years, 3 months ago by  BusyR.


    Thnx for sharing…



    I think that in order to keep your data safe from diverse locker ransomwares you must make backups of your hard drives and keep them in a disk you normally keep disconnected from the computer, as a partial form of insurance.

    • This reply was modified 4 years, 2 months ago by  silicon.




    We had a good laugh about this one in the SOC where I work as an investigator. Something we all want to do sometimes is get them back for what they do. There was also a story where someone had hacked a malicious download site and replace the malware with an antivirus program.
    Always fun in our business, eh



    am i missing something, is this a control server for one of the many FBI/Police/CP/Piracy pay a fine to unlock screens?



    lol… thats something hahaha



    A new version of the infamous Locky ransomware has been unleashed upon users worldwide, affecting computers all across the globe from the USA to Mexico, Japan, Germany, and beyond. The unwelcome arrival of the new virus was first reported yesterday here and was later confirmed by another source.
    It works like most ransomware does, seizing the files on a victim’s PC and encrypting them. Much like its predecessor, Locky, the new virus changes the name of the files to its own extension: .zepto, which is why it has now become known as the Zepto Virus.
    Once the encryption process is complete, the virus then changes the desktop image to a ransom note, informing the affected user of the actions that had taken place and providing instructions as to how the victim can receive the decryption key. It also creates files with the same information in each of the encrypted folders titled “_HELP_instructions.html”.
    The amount demanded by the hackers in exchange for the key is 0.5 Bitcoins, which is roughly the equivalent of $300; however, it is likely that that number will be substantially increased in the event large businesses or organizations are affected.
    At this point, there is no known way of breaking the encryption, but cyber-security experts are already working on cracking the .Zepto code. As was the case with .locky, this new ransomware uses the strong RSA-2048 and AES-128 ciphers.
    Users are advised to take extra precautions when browsing the web and especially when dealing with newly received emails. This is the way ransomware is most commonly distributed, so be especially critical towards spam emails, more so if they come with attached files.

    Removal of Zepto Virus :-

    .zepto File Virus Removal



    Thanks for the info.



    Doze of their own medicine.
    It’s time to strike back, a good defense is a strong Offense.



    Hello. Everybody writes that .zepto (Name-extension) ransomware is still not encrypted. Please, can you write hier a Master Key for Zepto Ransomware if it will be unlocked?! Because many people are waiting for it. Malwarebytes Antimalware, Spyhunter, Bitdefender….can not unlock crypted files. If someone asks me-I say-wait a little bit. Master Key will be found soon.

    For example, for those who have their files crypted with .crypz or .cryp1 extensions there is a solution. You can get your files back. Privat key is free now:

    .Crypz Extension (UltraDecryptor)

    Ransom Note Name: ![victim_id].html
    Ransom Note Name: ![victim_id].txt

    Example TOR Url: http://xqraoaoaph4d545r.onion.to
    Example TOR Url: http://xqraoaoaph4d545r.onion.cab
    Example TOR Url: http://xqraoaoaph4d545r.onion.city
    .Cryp1 Extension (UltraDecryptor)

    Ransom Note Name: ![victim_id].html
    Ransom Note Name: ![victim_id].html

    Example TOR Url: http://eqyo4fbr5okzaysm.onion.to
    Example TOR Url: http://eqyo4fbr5okzaysm.onion.cab
    Example TOR Url: http://eqyo4fbr5okzaysm.onion.city

    But .crypt , .zepto are still locked.



    Now, ransomware has become epidemic. I’ve created many backups for my files, because hackers are really excellent in spreading their malicious codes.



    Unfortunately, at this time, there is no known way to decrypt files encrypted by Locky.

    As with most ransomware infections…the best solution for dealing with encrypted data is to restore from backups. If that is not a viable option and if there is no fix tool, the only other alternative is to save your data as is and wait for a possible breakthrough…meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time.



    There is now a new one with the .Thor extension. I’ve tried any and all ways to decrypt this but it was just released on 10-25-16. The date that I am adding this. I wish we could find the decryption method for this and the way to shut these guys down.



    Hey, cyberguys!

    My computer has been hacked by this Locky ransomware. I have my files locked with the extension .thor that as I understood is the newest extension used by Locky virus. Obviously, there isn’t a free solution yet, and I’m getting a little hopeless that I will succeed to restore my data. I do not have any backups 🙁 How do you think guys .. is there a possible chance to get some files back by using Recuva, or any paid data recovery software like Stellar Phoenix. I don’t want to pay the ransom to the motherfu**ers that cause this to me and other users like me. I have important information on my laptop, and some of the files are paramount for my university graduation. 🙁 Please help me if you know of a solution. Furthermore, I have found websites that recommend the removal of .thor Locky ransomware. So I have another question.. Is there any danger of my data if I delete the virus from the computer?

    Thank you!



    Hi m0th ! You can also try to use ShadowExplorer and this guide http://manual-removal.com/thor/.



    Way To Uninstall Ransom.Locky!lnk Virus.

    Ransom.Locky!lnk is a kind of very notorious and devastating PC threat which may sneak in your system without any prior notice. Although, it blogs to Trojan horse category but it also carries the capability of a ransomware threat. It is such a devastating malware infection which poses some serious damage on targeted computer system and can make your system completely useless if not removed soon. Once installed, this vicious Trojan virus will quickly encrypt every single data on your hard drive and encrypt all your files. It may even delete all your data. It is such a vicious PC threat which keep executing several malicious task in your system background. Users should remove Ransom.Locky!lnk Trojan virus at the earliest. If You want to remove this malicious malware complete;y from your PC then read this guide:- http://www.howtoremovepcvirus.com/way-uninstall-ransom-lockylnk-virus



    I try to help a friend that in Trouble he came to me and He got a memory pen thats backup pitchers of de and his family and , All of the old family photos of the dead mother, So… Is there some of you that help – This is a Challenge ..Down is what the files lock like !

    I hope you can help !

    Bilde 001.jpg.ecuhum
    Bilde 003.jpg.edybam
    Bilde 002.jpg.ufwfim
    Bilde 004.jpg.ofurkp

Viewing 20 posts - 1 through 20 (of 26 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?