Decryption Tools for Ransomware

Doc -

I bought the 5-PC license for WinAntiRansomPlus and I'm running it alongside BitDefender AntiRansomware and MWB AntiRansomware.  So far, they seem to be playing nice together.

BitDefender goes about its business quietly without notifications but it may have blocked Locky on two of my rigs.  I happened to spot an obsolete software key on each when running the CCleaner Registry cleaner yesterday: HKCU\Software\Locky.  Which means I'm 'lucky' to have paid attention to your posts here.

So you know you may have saved at least one poor soul some misery.  For that, I say "Thanks!"

Addendum:  That 'obsolete' software key keeps getting rewritten to the registry after being deleted.  Not immediately, but it shows up again if I run CCleaner an hour or two after deleting it.

Got some work to do.

If I helped, I'm truly happy Daiwa. Are you sure that registry key isn't being written by one of your AR program updates (I assume they update daily...and maybe stuff is hanging around in memory and getting rewritten?). 

If I were you, I would definitely be asking the AR makers about this and making a post about it in MWB's Forum...and maybe WARPs as well...

McAfee's site says the presence of that specific reg key is indicative of infection, but so far no harm.  I'll keep this thread updated.

After reading Daiwa's reply #1 I decided to run CCleaner's registry cleaner and found the same obsolete reg key, HKCU\Locky. When I clicked on fix issues a window opened and said the key is left behind after uninstalling software. The only ones I uninstalled was CCleaner and BitDefender Anti-Ransomeware to update to the latest versions.

Interesting, Uvah.  I'm talking to my tech guy this morning on this issue.  My first suspicion was that BitDefender had blocked a Locky attempt and that a harmless reg key was left behind.  Now not so sure.  I'll post back.

After a lengthy session with my tech guy, it appears probable that the reg key in question is actually being written by one of the antiransomware apps, most likely BitDefender Antiransomware, for reasons unclear.  We actually found a set of two related keys in 6 different locations in the reg - CCleaner only found 1 set flagged as 'obsolete'.  It may be part of a strategy to 'immunize' against Locky.

One more little experiment to conduct before I can be sure.  More to follow.

Locations please.

Daiwa...I guessed correctly (response #2). . Glad about that!

Quoting DrJBHL, reply 8

Daiwa...I guessed correctly (response #2). . Glad about that!

End of DrJBHL's quote

You were close, Doc.  Not just on program update, but within an hour of the keys being deleted.

I'd love to give you the locations, Uvah, but I wasn't watching real-time as he did the reg search.  All you need to do is search in regedit for Locky & delete all found keys.

Thank you!

@Daiwa...thanks, I will.

There was a second key in the same section as each Locky key, gibberish alphanumeric name starting with 7ou, that CCleaner had also flagged as obsolete.  It, too, kept getting rewritten to the reg, so we nuked all those, too.

I can report that 18 hours after deleting all found Locky keys and all the 7ou... keys, they remain gone on both rigs.  Interesting that CCleaner only picked up one set of the keys as obsolete when there were multiple sets.  The only protectionware difference between the two rigs is one runs BitDefender AV, the other Avast Pro AV.  Both run MWB, MWB Anti-exploit and BD Antiransomware.  And they are now both running WinPatrol WinAntiRansomwarePlus.  Still not sure where those Locky keys came from.

Additional info today.

Avast Pro blocked the Locky trojan in several emails this morning - first time I'd seen a popup indicating so, but I assume there were others that I missed in the past.  This happened with active scanning of the inbound emails before they reached my inbox.

Found 4 instances of the Locky & 7ouHlW14R0XZ0x keys in the reg, all empty, suggesting that the trojan is able to get that far before Avast blocks it.

BitDefender on the other machine doesn't show popups, just does its biz in the background so it appears to be effectively blocking Locky as well.

Just ran CCleaner registry again and Locky was back along with another obsolete reg key, 4T54zly5. I don't know if it has anything to do with Locky though. Did a quick search in the registry but didn't find any more. Would help if I knew where else to look. HKEY_CURRENT USER_SOFTWARE and...

Did you see that alphanumeric key in the same section as the Locky key?  If so, it's likely a companion key, especially if it's empty.  I ran my searches on the entire registry.  It's looking like if all we have is the reg keys, we're OK.  Risk of ransomware attack would seem to be low if good AV is running.

Has either of you looked up the topic in the anti-ransomware forums of each program?

Yes.

Nothing in the way of this detail on the Avast forums, though ransomware in general discussed.

This BD-related thread mentions the Locky reg key and suggests it prevents Locky infection.

Still not clear what's going on, but based on the email hits Avast is blocking, Locky is getting around.

Edit:  Indeed, just launched Outlook again & Avast blocked another email with Locky.

It's a gmail-hosted address that is bearing the Locky traffic.  May have to get them involved.

According to post #13 Minimalist suggested not removing the reg keys. I ran CCleaner again but found nothing.

My tech guy suspected that, too, at first but he would have expected the antiransomware to lock down permissions for those keys as a way to block access to them & it didn't.  I'm inclined to leave the keys alone if/when they show up again, but the guys making this stuff keep massaging it to avoid AV detection so who knows?

What's ransomewhare.

http://lmgtfy.com/?q=Ransomware

Some ransomeware lock up the internet if they do just clear your history and exit out of the internet. This seems to work.