Registry Keys keeps re-appearing after removal

@ Exfso,

I realize this topic is outdated but, since this is an ongoing issue with others who are infected with Locky....

Out of curiosity, did you get this resolved? If so, what was the final resolution\cause for those keys regeneration?

Donna :)

Hello BillH651,

After extensive research, I came to the conclusion that these registry keys are associated with BitDefender Anti-Ransomeware (BDAR). To prevent from having to type out what I posted at another forum, I will just copy and paste my findings below:

You confirmed my thoughts when you pointed out that you uninstalled BDAR, deleted the reg keys, rebooted and they never came back. That alone proves that the technician you spoke with at BD was in the dark about the newest updates to BDAR. I am not only surprised but very disappointed that the technician had no knowledge of BDAR creating these registry keys.

Please read the articles in SecurityWeek and SpiceWorks. Both articles discuss the following:

As disclosed in SecurityWeek;

However, what users could do is to create the HKCU\Software\Locky registry key, which is the first thing that the ransomware tries to create on the compromised machine. The malware terminates if the creation process fails, and having the registry key already present on the computer ensures that the malicious application is not executed.

As disclosed in SpiceWorks;

At present, however, it works by taking advantage of a slew of built-in tests shared by Locky, TeslaCrypt, and CTB-Locker, which scan their host computer to see if it is already infected. "The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker," Computerworld writes.

You said that you read the BiteDefender article I shared with my associates. If you read it thoroughly then I am sure you came across the following comment by David:

62. David says:
April 4, 2016 at 12:35 pm

I’ve read article
Free Bitdefender tool protects against ransomware infections | PCWorld
but still want to know how does it actually do?
“The new Bitdefender tool takes advantage of these ransomware checks by making it appear as if computers are already infected with current variants of Locky, TeslaCrypt or CTB-Locker. This prevents those programs from infecting them again.”

What does it “vaccines”? What part of Windows tells ransomware it is already infected by it?

I am almost certain that he also started the topic found at Simoch on the same day just hours later. Davidenko just shortened his name to David. If you have a look at his second post, he went out on a limb and installed BDAR to find out for himself since he wasn't getting the answers he needed to confirm his suspicions, just as you did by uninstalling BDAR.

The security guru's that be won't necessarily put this information out there in the internet for just anyone to find. As pointed out in the first paragraph of the SpiceWorks article:

The new Bitdefender Anti-Ransomware vaccine is built on the same principle as a previous tool that the company designed to prevent CryptoWall infections." That tool was later made obsolete and ineffective after CryptoWall's creators updated their ransomware. Something similar is expected to happen to Bitdefender's tool.

The sooner that the bad guys find out that the good guys created a vaccine they will alter the code and the good guys will have to start all over again trying to find out how the bad guys altered the code so the good guys can update their tools and release an update. Honestly, it is a never ending battle between the good and the bad.

Think about the BDAR vaccine from a medical point of view.. Researchers create vaccines using the virus itself then inoculate the human population with that vaccine. Since a potential victim already has the antibodies of any particular virus, such as the flu, diphtheria, measles, mumps, etc., the virus can detect this and the potential victim will not get the full blown virus, if at all.

Truly, I would not be worried that you are infected, BDAR creates those registry keys to prevent you from becoming infected. As pointed out in the SecurityWeek article, if the registry keys already exist on the computer the malware will terminate itself and the creation process fails.

If you really are that worried about becoming infected, protect yourself by creating back ups pf personal data that you just couldn't bear to live without. You could eve go as far as cloning your drive. Never a bad idea to have more than one back up.