LockCrypt, a ransomware that arrives through Remote Desktop

Share this…

As we all know, the techniques used by hackers to carry out their activities are very varied; now they look for flaws in the configuration of services and common applications, such as the remote desktop services of the systems, to be able to connect to them easily and have absolute control over the system, like the LockCrypt ransomware variant.

Recently, a group of cyber security researchers told that a group of hackers has been distributing a new variant of the LockCrypt ransomware taking advantage of weak configurations in the remote desktop services of the systems. In order to carry out the attack, they searched for computers with this Remote Desktop enabled, they connected to it, and they used tools to extract, by brute force, the access password.


Once inside the system, the hackers executed this ransomware, which started directly to encrypt the data that was on the hard disk and, later, request the payment of a ransom in exchange for the supposed key to decipher the data, explain a cyber security professional.

This ransomware is being distributed since December 2017, although it had not been detected. When encrypting user data, it applies a base64 encoding to the file names, to complicate its identification, and adds the extension .1btc.

Additionally, it creates a ransom note in which it is requested to contact as soon as possible with the hackers to be able to agree on the price of the recovery of the data (the price does not come in the ransom note, but by the extension, it could be 0.1 BTC or 1 BTC), or apply an “offer” to decrypt several computers at the same time.

Unfortunately, these data cannot be recovered for free, and there is not much guarantee that the private key will actually reach us to recover them.

As in most cases, correct cyber security habits will be able to protect us from this threat.

Data security experts give us recommendations: Make backup copies, the only way to be 100% safe against ransomware. Do not open files that we receive by mail until you are 100% sure of their reliability. Analyze the files we receive or download in VirusTotal. Install all Windows updates and other system applications, especially Java, Flash and web browsers. Use robust and secure passwords to avoid guessing by brute force.

In addition, as we explained that this ransomware comes through remote desktop services, the ideal is that, if we do not usually connect to our PC remotely, we are sure that these services are disabled, preventing them from connecting through from them.