New Ransomware “Locker” Trying to Compete with Cryptolocker

Ransomware Security company, IntelCrawler recently discovered a new ransomware known as “Locker.” Similar to Cryptolocker, Locker demands a ransom fee of $150 to restore the files encrypted by the infection. Fortunately Locker’s encryption is potentially breakable.

Once Locker infects a PC, the victim’s documents are copied and encrypted, creating a “perfect” extension and deleting the victim’s original document. The ransomware also places a contact.txt file in each directory containing the ransomware author’s contact details, so victims can easily contact them to pay the ransom.

IMPORTANT!  If your computer is infected it’s important not to harass or threaten the ransomware author. Security experts suggest using the decryption key to unlock your files.  The ransomware author may delete your files if you harass or threaten them.

When IntelCrawler contacted the ransomware author, the company was told to pay the ransom fee to a Perfect Money or QIWI VISA Virtual Card number to receive the decryption key and restore the files.

When paying the ransom fee to decrypt files, victims must provide an identifying code written in the “contact.txt” file as well as the hostname of the infected computer. Locker authors run the ransomware using a network of command-and-control servers, and a combination of 256-bit AES and 2048-bit RSA crypto to encrypt the data.

IMPORTANT! Beware of drive-by downloads from compromised websites. Locker is spread through these downloads and is disguised as MP3 files.

Locker is less sophisticated than Cryptolocker, however it has attacked Windows-powered computers throughout the U.S.,—including in Washington D.C., Missouri, and Texas. Locker uses the TurboPower LockBox library, a cryptographic toolkit for Delphi that uses AES-CTR to encrypt the files on infected machines. However, vulnerabilities in the programming make it possible for security researchers to develop keys to decrypt files. However, Locker is smart enough to avoid machines running tools commonly used by security researchers.

IntelCrawler’s researchers are currently working on a universal remedy:

“We have found a decryption method and universal strings [keys] for decryption on any infected client,” said Andrey Komarov, IntelCrawler’s chief executive.

Mr. Komarov also explained that antivirus packages rarely detect the ransomware; as of this writing, Avira is the only antivirus program that can detect Locker.

For more information about how to protect your business against Locker, Cryptolocker and other ransomware, contact us and we will ensure your business is protected.