“Vaccine” against CTB-Locker, Locky and TeslaCrypt

According to SecurityWeek, French Cybersecurity company Lexsi has released some set of system_protected_xoperations which they call ‘vaccines’ that users can perform on their computers to prevent possible Locky infections. Here are the operations:

  1. Changing your system language to Russian. They outlined that Locky avoids infecting computers whose system language is Russian. Certainly, this is not practicable for users who do not understand Russian.
  2. Creating the HKCU\Software\Locky registry key. This is the first thing the Locky ransomware tries to create on the compromised machine. Having the registry key already created causes the creation process to fail and a further termination of the malware.
  3. Locky checks the key for the id, pubkey, paytext and completed values. A completed value of 1 indicates that the process is completed. If the completed value is set to 1 and the id value contains the correct computer identifier, it terminates the execution of the malware.
  4. Locky uses the pubkey during the encryption process. An invalid pubkey value will cause the process to fail. A pre-existing pubkey value will force the ransomware to use it without prior verification. This gives users the power to force the malware to use a public RSA for which they have a corresponding private key.

These operations are meant to keep computers safe from Locky but may not work for some newer variants and they require more than basic knowledge to be performed. Meanwhile, SecurityWeek also reports that Bitdefender has released a free automated tool that is capable of efficiently preventing the CTB-Locker, Locky and TeslaCrypt ransomware families from infecting a compromised system.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s