How LockCrypt Works: Analyzing the Code Behind the Encryption
LockCrypt is a sophisticated strain of ransomware known for targeting corporate networks through compromised Remote Desktop Protocol (RDP) credentials. Once inside a system, it systematically encrypts user data and demands a cryptocurrency ransom. Understanding how LockCrypt operates requires a deep dive into its execution flow, architectural design, and the specific cryptographic mechanics found within its code. 1. Initial Access and Environment Reconnaissance
LockCrypt does not typically rely on automated phishing campaigns. Instead, threat actors deploy it manually after gaining access to a target network. Security Tool Evasion
Upon execution, the malware attempts to elevate its privileges and disable security software. The code checks for the presence of specific antivirus processes and terminates them. It also executes shell commands to delete Volume Shadow Copies (vssadmin.exe delete shadows /all /quiet), ensuring the victim cannot easily restore files without the decryption key. Process Termination
To maximize the number of files available for encryption, LockCrypt iterates through running processes. It forces the closure of database servers, mail clients, and office applications (such as Microsoft SQL Server, MySQL, and Exchange). This unlocks active data files, making them vulnerable to the encryption routine. 2. The File Discovery Mechanism
LockCrypt uses a multithreaded directory traversal routine to scan local drives and connected network shares quickly.
[Start Scan] ──> [Enumerate Logical Drives] ──> [Recursive Directory Search] │ ┌─────────────┴─────────────┐ ▼ ▼ [Match Blacklist?] [Match Whitelist?] │ │ (Skip) (Encrypt)
The Whitelist: The code avoids encrypting critical system files to prevent operating system crashes before the ransom note is displayed. It skips directories like C:\Windows, NTUSER.DAT, and files with .exe or .dll extensions.
The Target List: It prioritizes user documents, databases, archives, and financial records. 3. Code Analysis: The Encryption Routine
The core of LockCrypt’s payload relies on a hybrid encryption scheme. It combines a symmetric cipher for speed with an asymmetric cipher for secure key protection. Symmetric File Encryption (AES or Custom Feistel)
Depending on the specific variant of LockCrypt (such as the older LockCrypt 1.0 vs. newer variants), the malware utilizes either standard AES-256 or a customized Feistel cipher block structure.
The code maps files into memory or processes them in specific chunk sizes (often 0x10000 bytes) to maintain high performance. A unique symmetric key is generated dynamically in memory for every single file using a cryptographically secure pseudo-random number generator (CSPRNG). Asymmetric Key Wrapping (RSA)
The symmetric key cannot be left on the system, nor can it be sent over the network in plaintext. To secure it, LockCrypt embeds a hardcoded RSA Public Key belonging to the attackers inside its binary. The malware generates a unique local AES key for a file. It encrypts the file contents with this AES key.
It encrypts (wraps) the AES key using the embedded RSA Public Key.
It appends the encrypted key block to the end of the locked file.
Because asymmetric encryption is mathematically one-way without the corresponding RSA Private Key, only the attackers (who hold the private key) can reverse the process.
Leave a Reply