Home

Awesome

LockOn Decryptor

If you have watched Envoye Special on 14-DEC-2017, you might have noticed the following piece of ransomware used: 5691844cacd14051ddd92ae5e50b13cf.

This malware is non-functional (merely a test) ; it will only encrypt files under C:\testrw.

Nevertheless here is a decryption tool that might become handy:

  1. Checkout Program.cs
  2. Compile with C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Program.cs (requires .NET Framework 4.0).
  3. Locate windowsdefender.bin master key file (usually located in %TEMP%).
  4. Decrypt individual files, e.g. Program.exe encrypted.lockon.

PS. There is another weakness in the software, but this one was the most straightforward to exploit.