LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

November 9, 2017  |  Chris Doman

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.

Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.

LockCrypt doesn’t have heavy code overlaps with other ransomware. We've seen evidence that the attackers likely started out with easier-to-deploy “ransomware as a service” before re-investing in their own ransomware.

We have seen small businesses infected with LockCrypt in the US, UK, South Africa, India and the Philippines.

Initial Compromise

One target reported they were infected via RDP brute-forcing from a compromised mail server. The attackers then manually killed business critical processes for maximum damage.

We have seen lots of related activity from this IP:

initial compromise with LockCrypt ransomware

The Targets

Targets have reported paying between 0.5 and 1 Bitcoin per server - which translates at current prices to over $5000 per server. One business reported paying approximately $19,000 to recover three machines.

An earlier version included a BitCoin address in the ransomware note. That address received about $20,000 worth of Bitcoins from targets in July.

Ransom charged with LockCrypt malwareA photo of an infected machine taken by a target

Overview of Execution

LockCrypt overview of executionThe pop-up window and ransom message provided by the attackers to targets

LockCrypt encrypts files and renames them with a .lock extension. It also installs itself for persistence and deletes back-ups (volume shadow copies) to prevent an easy recovery.

It executes a batch file to kill all non-core processes - a very aggressive way of anti-virus and sandbox evasion.

LockCrypt kills all non-core processes to startLockCrypt then sends base64 encoded information about the infected machine to a server in Iran 

Ransomware proliferation?

The first versions of LockCrypt used an e-mail address that was previously connected to Satan Ransomware - an easy to use “ransomware as a service”.

To get the decryptеr you should pay for decrypt:

to send 1 bitcoin today (tomorrow 2 bitcoins) to bitcoin the address 1Nez7W9ashFL4BA7vHuA5aoaad9XtqHKCF


Send screenshot of payment to mail support stn_satan@aol.com or Satan-Stn@bitmessage.ch


All your files have been encrypted due to a security problem with your PC


If you want to restore them, write us to the e-mail support stn_satan@aol.com or Satan-Stn@bitmessage.ch

Left - A ransom note from Satan Ransomware; Right - A ransom note from LockCrypt ransomware with matching contact details - A targeted business lost their accounting records to this malware

Many fear that ransomware creation services such as Satan could lead to attackers re-investing their criminal gain into more sophisticated schemes. It’s possible that has happened in this case.

Coincidentally, AlienVault recently discussed the threat posed by Satan ransomware in an interview with the BBC. Here's what the creation process looks like:

creating satan ransomwareThe Satan Ransomware Creation page

Prevention and Detection

Preventing RDP brute-forcing requires basic security hygiene such as:

  • Consider enforcing complex passwords and two-factor authentication on RDP access
  • Don’t allow incoming RDP connections from anywhere on the internet
  • Consider locking out users that have numerous failed login attempts

We have provided detection rules, Yara signatures, File-Hashes, payment e-mails and bitcoin addresses below.

How to detect these malicious behaviours in general

Indicators of compromise are useful for tracking malicious activity - but poor at detecting future malicious activity in general. Below we show how we detect LockCrypt in USM Anywhere:

How USM Anywhere detects LockCryptMass process killing with LockCryptUSM Anywhere detecting LockCrypt by failed logon to nonexistent account

Yara rules for file detection

rule lockcrypt {

       $a = "taskkill /f /im bcn1.exe" nocase wide ascii

$mz = { 4d 5a }


$mz at 0 and $a


rule lockcrypt_text {

        $a = "Set WhiteList=Microsoft.ActiveDirectory.WebServices.exe:cmd.exe" nocase wide ascii

        $b = "You have to pay for decryption in Bitcoins. The price dependson" nocase wide ascii


        any of them


rule lockcrypt_installer_packer {


        $a = "c:\users\nachalnik\documents\visual" nocase wide ascii

        $b = "WshShell.Run chr(34) & "bcn1.exe" & Chr(34), 0" nocase wide ascii


        any of them



BitCoin Addresses




E-Mail Addresses









File Hashes















IP Addresses Performing RDP Brute-Force Attacks

You can view IP addresses associated with related attacks here.

Ransom Note

All your files have beenencrypted!

All your files have been encrypted due to a security problemwith your PC. If you want to restore them, write us to the e-mail support: jajanielse@aol.com or jajanielse@bitmessage.ch

Write this ID in the title of your message

In case of no answer in 24 hours write us to theese e-mails support: jajanielse@aol.com or jajanielse@bitmessage.ch

You have to pay for decryption in Bitcoins. The price dependson how fast you write to us. After payment we will send you thedecryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 3 files for freedecryption. The total size of files must be less than 10Mb (nonarchived), and files should not contain valuable information.

(databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. Youhave to register, click 'Buy bitcoins', and select the seller bypayment method and price.


Also you can find other places to buy Bitcoins and beginnersguide here:



Do not rename encrypted files.

Do not try to decrypt your data using third party software,it may cause permanent data loss.

Decryption of your files with the help of third parties maycause increased price (they add their fee to our) or you can becomea victim of a scam.



Your ID


LockCrypt ransomware doesn’t appear to be targeted - the attackers just opportunistically infect servers with RDP. But they do show an interest in manually interacting with systems for maximum impact, and the excessive fees they charge can put businesses that can’t afford to pay out of operation. We’ve provided some details on how to detect LockCrypt, and others like it, below. 

Share this with others

Featured resources



2024 Futures Report

Get price Free trial