Malwarebytes researchers discovered a weakness in the LockCrypt ransomware which enabled them to recover victim’s files.
The malware has remained more or less under the radar since June 2017 and is spread via RDP brute-force attacks that must be manually installed, according to an April 4, 2018 blog post.
Researchers discovered a sample of the malware that wasn’t obfuscated or encrypted which allowed them to find where the ransomware’s authors attempted to write their own cryptography that allowed victims to recover their data in some cases.
The malware contained a buffer of bytes meant to pad the encryption scheme similar to a one-time-pad encryption but the buffer instead made their algorithm vulnerable for a plain text attack.
Researchers described LockCrypt as another simple ransomware created and used by unsophisticated attackers.
“Authors don’t take much time preparing the attack or the payload,” researchers said in the report. “Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run.”
The researchers went on to say that the sloppy unprofessional code is commonplace when the ransomware is created for manual distribution.