Remove Strictor (BankAccountSummary) Ransomware and Restore .locked Files

Ransomware-sensorstechforum-StrictorThe “hidden tear” project has brought yet another ransomware. It is named Strictor and it is also known as BankAccountSummary ransomware which wants 500$ from infected users to get the files encrypted by it back at their disposal. The ransomware locks the data using a very strong AES-256 cipher which would take years and years to crack unless a flaw in its code has been found. Experts advise infected users to not pay the 500$ ransom amount in most circumstances because their files may not be decrypted and they help the cyber-criminals develop and spread the virus. Instead, it is recommended to remove the ransomware and try and restore the data using alternative methods such as the ones below while waiting for a decryption method to be released.

Threat Summary

NameStrictor
TypeRemote Access Trojan with file encryption capability.
Short DescriptionThe ransomware encrypts files with a strong AES-256 cipher asking 500$ for decryption.
SymptomsFiles are encrypted with the.locked file extension and become inaccessible. A ransom note with instructions for paying the ransom may show as a wallpaper.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Strictor

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Locky Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Strictor Ransomware – Distribution

To be successfully deployed across computers, the creators of Strictor may have used spam messages that could feature either malicious e-mail attachments or malicious URLs such as the example below:

spam-email-sensorstechforum

But, they have also though out this bottleneck very well, realizing it is the most important part of the infection process. This is why they may have used file obfuscators to hide the malicious payload carrying file from Anti-Virus and Anti-Malware programs.

Researchers have also reported that a malicious executable file pretending to be a .PDF document has been reported to be widespread via spam messages carrying Strictor. The file has the following name:

  • Bank_Account_Summary.pdf.exe

Strictor Ransomware In Detail

After being activated on your computer, Strictor may create malicious files in the following Windows folders:

commonly used file names and folders

After creating the files, researchers at http://id-ransomware.blogspot.bg have reported that the ransomware creates the following registry entries:

In the key:
HKLM\SOFTWARE\Microsoft\Tracing\Bank_Account_Summary_RASAPI32\
The following subkeys:
ConsoleTracingMask
EnableConsoleTracing
EnableFileTracing
FileDirectory
FileTracingMask
MaxFileSize
In the key:
HKLM\SOFTWARE\Microsoft\Tracing\Bank_Account_Summary_RASMANCS\
The following subkeys:
ConsoleTracingMask
EnableConsoleTracing
EnableFileTracing
FileDirectory
FileTracingMask
MaxFileSize

After changing the settings of the user, the ransomware may also connect to its command and control server:

→ 202.181.194.227

After connecting to the server, the ransomware may send different information from the infected computer:

  • Decryption Key.
  • System Information.
  • Anti-Virus Information.

The ransomware also uses an AES-256 cypher to encrypt most usable files without damaging Windows:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

The encrypted files by Strictor contain the .locked file extension, for example:

→ Picture.jpg.locked

After encryption, the ransomware virus is reported to create the following file:

→ C:\Users\Name\Documents\WindowsUpdate.locked

The ransomware virus may also delete the shadow volume copies of the infected users by shadow-command-sensorstechforum

In addition to that, Strictor Ransomware has preventive measures, when the user stops the connection to the internet. The ransomware displays the following message if there is no active connection:

→ “Are you trying to fool me? Connect me to the Internet ;)”

In addition to that, it leaves a ransom note, by changing the wallpaper of the infected computer to the following picture:

note-wallpaper

The ransomware may also add a text file, containing the following ransom message:

→ “All your precious Files on your computer
I have successfully encrypted!
Your files are encrypted To get the key to decrypt flies you have to pay 500 USD.
If payment is not made before {Deadline date here} the cost of decrypting files will increase 2 times and will be 1000 USD
Click below to pay us the bitcoins!!!”

Strictor – Conclusion, Removal, and File Restoration

The corollary for Strictor ransomware is that it has been created to induce fear in users and drive them into paying the ransom money of 500 USD in time. The creators of this virus do not fool around, and they may have a lot of experience with ransomware infections because the malicious website connected to the ransomware contains the name “CryptoWall” in it. CryptoWall is one of the most notorious ransomware infections ever to be created, generating damages of over 180 million dollars globally for 2015.

To remove Strictor, we advise you to follow our instructions. They are organized in a methodological order to help you remove the ransomware. We advise you to also use an anti-malware tool to help you remove the malicious files because they may be different files in different locations under different names.

To decrypt your files. Unfortunately there is no current method released. However, we have prepared alternative file restoration methods which will help you restore at least some of your files. In the meantime, we will keep you posted in this article with updates if a decryptor has been released.

Manually delete Strictor from your computer

Note! Substantial notification about the Strictor threat: Manual removal of Strictor requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Strictor files and objects
2.Find malicious files created by Strictor on your PC
3.Fix registry entries created by Strictor on your PC

Automatically remove Strictor by downloading an advanced anti-malware program

1. Remove Strictor with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Strictor in the future
3. Restore files encrypted by Strictor
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.