Lock75 (Fluffy) File Virus Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Lock75 (Fluffy) File Virus Restore Files

Article, designed to help you remove Fluffy-TAR ransomware and hopefully get back files encrypted with the lock75 extension added to them.

A ransomware virus, using the lock75 extension appended immediately after the names of the encrypted files has been detected. The virus is named Fluffy-TAR ransomware and uses the strongest AES cipher possible, the AES-256 to encrypt files on the computers infected by it. After the encryption, the Fluffy virus drops a well-designed ransom note which demands from victims to pay the sum of 0,039 BTC in order for the cyber-criminals behind it to get the files back. In case your computer has been infected by the Fluffy ransomware, recommendations are to read this article carefully.

Threat Summary

Name

Lock75 Virus

TypeRansomware
Short DescriptionThe malware encrypts users files using the AES-256 encryption cipher, making direct decryption possible only via a unique symmetric decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” screen, asking to pay approximately 0,039 BTC. Changed file names and the file-extension lock75 has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Lock75 Virus

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Lock75 Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Fluffy lock75 Virus – How Does It Infect

The distribution process of Fluffy ransomware may be performed by utilizing spam e-mail messages to infect user PC’s. Usually such messages are sent via spamming software and spam kits that contain a pre-configured list of victims’ e-mail addresses. The spam messages usually contain deceitful e-mail message within them that aims to lure users into either clicking on a web link or opening the attachment, similar to the example image below:

spam-email-fake-linked-in-spam-sensorstechforum

Such convincing statements may sometimes even include information about your account, such as your name, address and so on. This information is usually gathered from websites to which many victims have registered and left their personal information. Those websites if compromised can reveal multiple different details about users, making them potential victims to Fluffy ransomware’s distributers.

Other forms of spreading this infection is if fake installers of programs, game activation software, license removers and other fake executables may be used on torrent websites via compromised accounts and downloaded by the victim. Also such may be published in suspicious websites or linked towards the user PC as a result of having a PUP (Potentially Unwanted Program) installed on your computer.

Fluffy Ransomware – Infection Activity

Once Fluffy ransomware has already infected a given computer, the virus may use exploits to drop it’s malicious files while remaining undetected on the victim’s computer. Once this has been done, the Fluffy ransomware infection may begin to connect to the following hosts:

  • 185.100.85.150:80 – Romanian
  • 192.36.27.5:80 – Swedish

From these hosts, the malicious files of the Fluffy virus may be downloaded onto the computer of the victim. These files may consist of a malicious executable and an image, named as the following:

  • Fluffy.exe
  • Fluffy.png

Along with these malicious files, Fluffy ransomware may also drop other support files that may perform malicious activity on the compromised computer. One of those activities may be to delete the shadow volume copies on the infected computer – activity achieved by using the following commands:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this, Fluffy ransomware may also perform multiple other activities amongst which are the interfering of the Windows Registry sub-keys for running programs on system boot and changing the wallpaper:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Fluffy Virus – Encryption Process

The process of encrypting files, encoded by Fluffy ransomware is achieved via utilizing the AES-256 encryption algorithm which encrypts files by replacing blocks of data with the algorithm itself. This makes the files no longer openable and the virus then generates a symmetric decryption key which is then sent to the servers of the cyber-criminals, making them the only one able to decrypt the files.

The encrypted files have the lock75 expansion added to them and may appear like the image below displays:

After the encryption process has been completed, the lock75 ransomware infection may drop it’s ransom note, which contains the following message that leads to the TOR-based web-page 3qsp4lc4ajyk4ccb.onion:

What’s happening?
Oh no! Fluffy-TAR has encrypted some of your files! It means they are not lost, but cannot be used until decrypted.
They are “locked”, you could say. If you see a file which name ends with “lock75”, it means this file is encrypted. The process is easily reversible but requires a key.
What do I do?
To get your files back, you must buy the decryption key. This payment must be done in Bitcoins, a cryptographic currency. Bitcoin is becoming more and more accessible and nowadays, it is really easy to use bitcoins. See the online interface (button below) for a more detailed introduction to bitcoins.
To get your files back, please send exactly (or more if you want) 0.039 Bitcoins to this address, BEFORE the countdown below ends:
1D4yXNh45nur1KVNqnPZ5T7nep5Y1KDbwx
Uppercase/lowercase matter! Make sure you send to the right address! (you can scan the QR code to copy it)
After sending the payment, wait an hour then click the “Retrieve key automatically” button below.
The software will then receive the key and decrypt ALL encrypted files.
Without the key, it is impossible to decrypt your files. Without the proper payment, it is impossible to get the key.
When the countdown reaches zero, you will lose all encrypted documents.
Please note: If you have an antivirus, disable it now if you don’t want to lose your data.

Among the encrypted files are the following file types:

→ .3fr, .7z, .abu, .accdb, .ai, .arp, .arw, .asp, .aspx, .ass, .asset, .ava, .avi,.bas, .bay, .bdcr, .bdcu, .bdd, .bdp, .bds, .bikey, .blend, .bmp, .bpdr, .bpdu, .bsdr, .bsdu, .c, .cc,.cd, .cdr, .cer, .class, .com, .config, .cpp, .cr2, .crt, .crw, .cs, .csv, .cxx, .db, .dbf, .dbx,.dcr, .dd, .dds, .der, .dng, .doc, .docm, .docx, .DTD, .dwg, .dxf, .dxg, .eps, .erf, .fdb, .forge, .gdb,.gif, .groups, .gsd, .gsf, .h, .hpp, .htm, .html, .ims, .indd, .iss, .jar, .java, .jpe, .jpeg, .jpg,.js, .jsp, .kdc, .key, .kwm, .lua, .m, .md, .mdb, .mdf, .mef, .mp3, .mpg, .mrw, .msg, .nef,.nrw, .oab, .obj, .odb, .odm, .odp, .ods, .odt, .orf, .ost, .p12, .p7b, .p7c, .pab, .PAS, .pas, .pdb,.pdd, .pdf, .pef, .pem, .pfx, .php, .pl, .png, .ppk, .ppt, .pptm, .pptx, .ps, .psd, .pst, .psw, .ptx, .pwm, .py, .r3d, .raf, .rar, .RAW, .raw, .rgx, .rik, .rm, .rtf, .rw2, .rwl, .safe, .sav, .sln,.sql, .srf, .srw, .swf, .swift, .tex, .txt, .vcf, .vsd, .wb2, .wpd, .wps, .xcf, .xlk, .xls, .xlsb,.xlsm, .xlsx, .xml, .zip

Fluffy lock75 Virus– How to Remove it and Restore Your Files

After the inevitable has happened, the virus advice is to backup the files encrypted by the lock75 ransomware, the first action should be to backup the encrypted data.

Then we recommend following the removal instructions below, which will help you isolate this virus and remove it’s files. In case you feel uncertain in manual removal, recommendations are to focus on removing the encrypted files automatically by using an advanced anti-malware program. Such will ensure that all files and objects associated with Fluffy ransomware are removed from your computer and that future protection is ensured.

After removing Fluffy ransomware, we advise using the methods in step “2. Restore files encrypted by Fluffy” from the instructions below. They may not ensure the recovery of all your files, but via them you can restore at least some of the data.

Manually delete Lock75 Virus from your computer

Note! Substantial notification about the Lock75 Virus threat: Manual removal of Lock75 Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Lock75 Virus files and objects
2.Find malicious files created by Lock75 Virus on your PC

Automatically remove Lock75 Virus by downloading an advanced anti-malware program

1. Remove Lock75 Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Lock75 Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.