Users can now recover files without paying

Apr 16, 2016 20:00 GMT  ·  By

Fabian Wosar, Emsisoft's top malware analyst, has put together a decrypter for a new ransomware variant named AutoLocky, a copycat of the more famous and dangerous Locky ransomware that appeared at the start of 2016.

AutoLocky, which was spotted for the first time only about a month ago, is written in the AutoIt scripting language, hence its name.

"The malware itself installs itself by creating a link to itself inside the Start Menu StartUp folder named 'Start.lnk,'" Mr. Wosar told Softpedia. If the user clicks the link, the ransomware starts encrypting their files with "AES 128 bit encryption using a key derived using MD5 from an alpha numeric password."

AutoLocky uses strong encryption...

The decryption is then sent to the C&C (command and control) server while ransom notes in the form of text and HTML files (see attached gallery) are dropped on the user's computer. Below is a list of the 217 file types AutoLocky targets for encryption.

docm,docx,dot,doc,txt,xls,xlsx,xlsm,7z,zip,rar,jpeg,jpg,bmp,pdf,ppsm,ppsx,ppam,potm,potx,pptm,pptx,pps,pot,ppt,xlw,xll,xlam,xla,xlsb,xltm,xltx,xlm,xlt,xml,dotm,dotx,odf,std,sxd,otg,sti,sxi,otp,odg,odp,stc,sxc,ots,ods,sxg,stw,sxw,odm,oth,ott,odt,odb,csv,rtf,accdr,accdt,accde,accdb,sldm,sldx,drf,blend,apj,3ds,dwg,sda,ps,pat,fxg,fhd,fh,dxb,drw,design,ddrw,ddoc,dcs,wb2,psd,p7c,p7b,p12,pfx,pem,crt,cer,der,pl,py,lua,css,js,asp,php,incpas,asm,hpp,h,cpp,c,csl,csh,cpi,cgm,cdx,cdrw,cdr6,cdr5,cdr4,cdr3,cdr,awg,ait,ai,agd1,ycbcra,x3f,stx,st8,st7,st6,st5,st4,srw,srf,sr2,sd1,sd0,rwz,rwl,rw2,raw,raf,ra2,ptx,pef,pcd,orf,nwb,nrw,nop,nef,ndd,mrw,mos,mfw,mef,mdc,kdc,kc2,iiq,gry,grey,gray,fpx,fff,exf,erf,dng,dcr,dc2,crw,craw,cr2,cmt,cib,ce2,ce1,arw,3pr,3fr,mdb,sqlitedb,sqlite3,sqlite,sql,sdf,sav,sas7bdat,s3db,rdb,psafe3,nyf,nx2,nx1,nsh,nsg,nsf,nsd,ns4,ns3,ns2,myd,kpdx,kdbx,idx,ibz,ibd,fdb,erbsql,db3,dbf,db-journal,db,cls,bdb,al,adb,backupdb,bik,backup The crooks ask for 0.75 Bitcoin (~$325), and based on some of the Bitcoin addresses seen in ransom notes, some users appear to have ended up paying.

In all ransom notes, AutoLocky uses the Locky moniker, but this is only to frighten users who might Google the term and realize that Locky is undecryptable and they might need to pay the ransom to recover their files.

A better way for victims would be to use the ID Ransomware website where they can upload a ransom note and an encrypted file, and the website will tell them the exact name of the ransomware. ID Ransomware can accurately differentiate between Locky and AutoLocky.

... but there's a way around it

Luckily, Mr. Wosar found a flaw in AutoLocky and was able to put together a decrypter to help users out. You can download the decrypter from Emsisoft's website.

After you launch it, the decrypter will do its magic and get you the decryption key needed to unlock your files. Once you get the key, the decrypter's GUI will kick in, and then you can select the location of your encrypted files and start the decrypter to initiate the decryption process.

Just be mindful to test the validity of the decryption key on one file first. Additionally, it may be a good idea to create a copy of your encrypted files and test the decryption process on those. Happy decrypting!

AutoLocky ransom note, text version
AutoLocky ransom note, text version

AutoLocky ransomware (8 Images)

AutoLocky decrypter now available for download
AutoLocky ransom note, text versionAutoLocky ransom note, HTML version
+5more