There are several ransomware pieces that append an ‘.encrypted’ extension to the victim’s filenames. Thus, such ransomware are often referred to as ‘.encrypted viruses’. One such threat is ZeroLocker that has been known to security researchers since 2014. Another ransomware using the .encrypted extension is TorrentLocker which later was renamed to Crypt0L0cker, both known to researchers for a while now.
In the last couple of days, several users have contacted us saying that their files have been changed and now have an ‘.encrypted’ extension. This could mean two things – either one of the ransomware cases mentioned above has been just revived, or there’s a new crypto malware using the same file extension (possibly created by affiliates).
The good news is that there’s а decryption utility available for ZeroLocker. Proceed with reading to learn more.
What Is ZeroLocker?
Clearly, it is a piece of devastating crypto malware that sneaks into a victim’s machine and encrypts their files, demanding ransom in exchange for the files’ decryption.
What we know about ZeroLocker (via Bleeping Computer’s analysis):
- ZeroLocker uses AES encryption, expect when the files are located in certain folders or are larger than 20 MegaBytes;
- Folders that are spared from encryption are any that contain any of the following words in their names – Windows, WINDOWS, Program Files, ZeroLocker, Desktop;
- Files encrypted by ZeroLocker have an .encrypted extension appended to their file names;
- Once the encryption process has finished, the ransomware will run the C:\Windows\System32\cipher.exe /w:C:\ command, and will overwrite all deleted data on the victim’s C:\ drive to get in the way of using a recovery tool;
- ZeroLocker also creates the C:\ZeroLocker folder where it stores various files and the decryptor executable named ZeroRescue.exe; the latter runs automatically upon system reboot via a new registry entry.
What about Shadow Volume Copies?
When we researched the threat back in 2014, we discovered that it didn’t affect Shadow Volume Copies.
Currently, we cannot provide any information as to whether ZeroLocker’s source code has been recently modified to affect Shadow Volume Copies. Nonetheless, a decryptor for ZeroLocker is available and it was created by Vinsula .
Here’s what Vinsula say about their utility:
- The recovery utility we have developed is a Windows console application that scans a single encrypted executable to uncover the encryption key. The operation uses a brute-force method and is CPU-bound (compute-bound). In our tests, the utility typically takes less than a day to find an encryption key, but in a worst-case scenario it could take up to 5 weeks. The utility can brute force an encrypted binary executable on either an infected machine or on a different, dedicated machine. The faster the machine (more CPU cores), the faster the brute force process takes to resolve the encryption key.
- No Internet connection is required for the process to run and scan for the encryption key. The utility doesn’t have any external dependencies. For the brute forcing option the tool needs only to have access to a single encrypted binary executable.
N.B. The Vinsula recovery utility applies only to files encrypted by ZeroLocker. If your files have an ‘.encrypted’ extension but this utility doesn’t decrypt them, you have been hit by another ransomware.
Here is an example of an ‘.encrypted’ file:
- es.gamma01.xla.encrypted (via a user post on GitHub).
What Is Crypt0L0cker?
Crypt0L0cker attacks were registered in the spring of 2015. That is when security analysts revealed that Crypt0L0cker is in fact a new version of the well-known TorrentLocker. However, Crypt0 appeared to be Geo-Locked and as such, wouldn’t attack US based machines. As with many other ransomware cases, Crypt0 was mainly distributed in spam email campaigns, pretending to be government notices.
Learn More about TorrentLocker
The communication methods used by Crypt0 were quite similar to TorrentLocker’s. When installed on victim’s system, Crypt0L0cker would connect to a Command & Control server and transmit the victim’s unique identifier and a campaign ID.
Crypt0L0cker would then scan all hard drive letters and encrypt certain files, while others are excluded. Encrypted files would have an ‘.encrypted’ extension at the end.
What about Shadow Volume Copies?
Once activated, Crypt0L0cker would delete Shadow Volume Copies and thus make the files’ restoration quite difficult, if not impossible.
Unfortunately, there is still no solution to either Crypt0L0cker or TorrentLocker.
You can still refer to the instructions below to clean your system from ransomware and back up your data.
We will keep you posted if a decryption tool for Crypt0L0cker/ TorrentLocker is developed. You can also leave a comment in our security forums.