LightningCrypt is distributed through email spam and malicious attachments, spoofed downloads, exploits, web injects, fake updates, repackaged and infected installers.
Once LightningCrypt has encrypted the victim's files, it demands the payment of a large ransom by exhibiting a ransom note on the victim's computer. The files affected by the LightningCrypt attack will be easily identifiable because LightningCrypt will add the file extension '.LIGHTNING' to the end of each affected files' names. LightningCrypt creates a text file on the victim's desktop. This file, named 'LightningCrypt_Recover_Instructions.txt' will include instructions on how to pay the ransom required to recover from the LightningCrypt attack. Apart from this text file, LightningCrypt also will display its ransom note in the form of a pop-up message.
LightningCrypt will demand a payment of .17 BitCoin, which will correspond to several hundred US dollars, according to the current trade rate. LightningCrypt's ransom note claims that attempting to restore the files manually will result in their deletion, a typical threat observed in many of these attacks. However, LightningCrypt encrypts the victim's files using a strong encryption method, making it nearly impractical to recover the files once they have been affected.
The following is the full message contained in the LightningCrypt Ransomware's ransom note:
@@LIGHTNINGDECRYPT@@ YOU BECAME A VICTIM OF the LightningCrypt Ransomware! ALL YOUR FILES HAVE BEEN ENCRYPTED FOR EACH TRY TO FO ANYTHING I WILL DELETE FILES PAY 0.17 BITCOINS TO THIS ADDRESS: 1LSgvYFY7SDNje2Mhsm51FxhqPsbvXB YOU CAN BUY BITCOINS ON 'BLOCKCHAIN.INFO' SEND YOUR UNIQUE ID IN THE DESCRIPTION OF THE BITCOIN PAYMENT YOU CAN FIND THEM IN YOUR DESKTOP IN 'LIGHTNINGCRYPT_UNIQUEID.TXT' AFTER THE PAYMENT YOUR FILES WILL BE DECRYPTED! HAVE FUN 😉 PAY 0.17 Bitcoins to: 1LSgvYFY7SDNje2Mhsm51FxhqPsbvXB