LockCrypt vs. Competitors: Which Encryption Tool Wins?

Overview — LockCrypt

• Type: Ransomware family (also known as EncryptServer2018) first observed mid‑2017.
• Distribution: Often via brute‑forced Remote Desktop Protocol (RDP) access and manual installation.
• Behavior: Encrypts many file types, renames files using a Base64-like pattern plus victim ID (extensions seen: .lock, .1btc, .mich, .2018, .bi_d), drops ransom notes (e.g., ReadMe.txt) and displays a ransom pop-up.
• Cryptography: Early LockCrypt variants use custom/home‑made encryption with notable weaknesses (reused non‑cryptographic “pad”, poor PRNG). That allowed researchers to recover keys and build decryptors for some subvariants. Later variants reportedly improved encryption.
• Decryptability / Tools: Security firms (Bitdefender, Unit 42, Palo Alto Networks, Malwarebytes) analyzed LockCrypt and published recovery guidance and decryptors for certain subvariants (e.g., Bitdefender’s tool for some extensions; Unit42/others published scripts and analysis for recovery when known plaintext is available). Not all subvariants are decryptable.
• Indicators / filenames: Encrypted filenames follow patterns like “[Base64]+=ID+[16‑char].ext”. Ransom notes commonly named ReadMe.txt, Restore Files.txt, How To Restore Files.txt.
• Mitigation & response:
  1. Isolate infected machines immediately (disconnect network).
  2. Do not pay ransom—payment doesn’t guarantee recovery.
  3. Use reputable AV/EDR to remove the ransomware binary.
  4. If you have backups, restore from clean backups.
  5. For some LockCrypt variants, try vendor decryptors (Bitdefender) or published recovery scripts if you have sufficient known plaintext and technical skill. Engage incident‑response specialists if needed.
• References: Analyses and tools from Malwarebytes, Unit42 (Palo Alto Networks), Bitdefender, and forensic writeups (2017–2025 reporting).

If you want, I can:

• Check whether a specific encrypted extension on your files is covered by an existing decryptor, or
• Provide step‑by‑step recovery options assuming you have backups or a sample encrypted file plus its original plaintext.