New types of ransomware are discovered on a very regular basis. Some of these creations are copy-and-paste jobs, which do not bring anything new to the table. Every now and then, however, a type of ransomware emerges which offers something we have not seen before. Lockout is one of those types of malicious software that offers something interesting, although it is not necessarily a major development.
Lockout Introduces a Legal Notice To its Victims
The bread and butter of ransomware is always the same. Users who get infected with this malicious software see their computer files encrypted, and they are asked to pay a ransom in Bitcoin. Some types of ransomware can be decrypted free of charge, although newer types emerge on a regular basis. Lockout does not appear to be a big threat for now, but it does introduce a legal notice to Windows users infected with this malware.
To be more specific, the Lockout ransomware puts up a legal notice before users log in to the Windows environment. In this legal notice, one can find the necessary payment instructions to get rid of this malicious software. This is a rather remarkable development, as it is not something we have seen ever before. Then again, not paying the ransom demand is always the best course of action.
As the name of the ransomware strain suggests, files will be encrypted and renamed to the “.lockout” extension. Any file with this new extension cannot be opened or executed until the victim decrypts them in the future. Moreover, it also appears Lockout makes modifications to the Windows registry. It is unclear if users can restore files from a backup, though, but it seems unlikely. Most modern types of ransomware delete shadow volume copies as soon as they infect a computer.
Lockout seems to spread itself through a spam email campaign. Once again, this is rather common behavior among malicious software developers. Spam campaigns have proven to be a successful way of distributing malicious payloads to consumers all over the world. These emails often contain an attachment laden with the payload in question. Additionally, it appears some messages redirect users to malicious websites hosting the ransomware payload.
Luckily, it appears people can get rid of the Lockout ransomware with relative ease. According to this post, there are several methods to do so. It is expected a free decryption tool will be made available in the future as well. All of this goes to show ransomware developers are still coming up with new tricks. The legal notice in the startup screen is a novelty, although it will not necessarily result in more victims paying the Bitcoin ransom.
Speaking of the Bitcoin ransom, it is unclear how much money the criminals are demanding in exchange for the decryption key. All of this information can be found in the official payment instructions file, although it is possible the amount will vary depending on the victim and how many files are encrypted at the end. Be wary when opening an email from an unknown sender, as it may contain this – or any other – type of ransomware.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.
A massive number of organisations across the globe have been targeted by the malware since May 12.
Hackers used the Trojan encrypter WannaCry to lock computers and demand a payment for the decryption. So far, it has hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses, Xinhua news agency reported.
WannaCry takes advantage of the Windows exploit series known as Eternal Blue which exploits a vulnerability that Microsoft patched in security update MS17-010 on March 14, to gain remote access to users’ computers and install malicious driver programmes before locking files and demanding a ransom, Kaspersky told Xinhua.
According to a statement provided by Kaspersky, its computer system monitoring tool has detected 11 kinds of such malicious programmes that WannaCry uses to encrypt computer files.
The cyber security provider warned against using the means of decryption offered on the Internet or received in emails, as WannaCry’s encryption algorithm can not be decoded with existing methods, which, worse still, may cause even greater harm to the infected computer and others connected to it, thus accelerating the propagation.
Currently, the only right approach in case of a WannaCry infection that has been found effective is system reinstallment at the expense of encrypted file, Kaspersky said.
“If you find that your computer has been infected, you should turn it off and contact the information security service for further instruction,” Kaspersky said.
Noting that precautions play a crucial part in defending against the WannaCry virus, Kaspersky suggests users install an official patch from Microsoft that closes the vulnerability used in the attack as well as upgrade the security software scanning critical areas at all time to detect potential infection as early as possible.
It is also suggested to create file backup copies on a regular basis and store copies on storage devices that are not constantly connected to the computer.
For computers within corporate networks, once an attack is spotted, disconnection of the invaded computer from the Internet and internal networks needs to be done immediately.
In addition, while unpatched Windows computers can be remotely attacked with the Eternal Blue exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability does not really prevent the ransomware component from working, Kaspersky said.
“Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak,” it said.
At present, network security companies, including Kaspersky, are developing more effective means of fighting the WannaCry virus and decoding maliciously encrypted files, and relevant information will be released in a timely manner, Kaspersky said.