ALERT: Is Your Network Infected With A Sleeper Ransomware Strain?
There is a new, challenging “sleeper” ransomware twist.
It’s called Locker and has been infecting employee’s workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way.
Since this strain literally reared its ugly head, Reddit has a topic on it with over 600 comments. Bleepingcomputer has a support topic that is more than 30 pages long and they received 100s of emails from consultants all over the world. Based on their experience with cryptoware, they stated this strain has a large “installed” base, which does not bode well, Topics related to this new strain are suddenly being posted on all the major support boards, AV forums, etc.
It appears we have a new player in the Ransomware world, but they only charge 0.1 Bitcoin, something between 20 and 30 bucks. At the moment, it looks like the infection vector are compromised sports-websites that have exploit kits on them, and there is a compromised MineCraft installer out there.
Here is what it does:
- A series of Windows services are used to install Locker on the computer and encrypt data files.
- During the install process, Locker will check if the computer is virtual machine and terminate if detected.
- Encrypts data files with RSA encryption, and does not change the file extension.
- After the encryption it deletes your c:\ shadow volume copies and displays its ransom interface.
- If your backups failed and you are forced to pay the ransom, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.
The files that are encrypted are the following types: .doc, .docx, .xlsx, .ppt, .wmdb, .ai, .jpg, .psd, .nef, .odf, .raw, .pem, .rtf, .raf, .dbf, .header, .wmdb, .odb, .dbf, and again. Locker does not change the file extension so users will get error messages from their applications that the file is corrupted.
As you see on the screenshot below, it presents a scary message in red at the bottom of the screen stating: “Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!” This is just to force you into paying, not something to be too worried about. The amount is negligible, but the hassle and time is significant.
The initial discovery is very new and things are still somewhat murky, but we will keep you in the loop about any developments.