LOCKER Malware – Yet another new variant of Cryptolocker Ransomware
Ransomware, a threat to internet users that continues to grow in popularity with cyber criminals due to its success and monetary potential. This is nothing new and to be expected. I have noticed many discussions on underground hacking forums about “How to create Ransomware like Cryptolocker malware” or “Malware – hacking tool-kit with ransomware features“.
Security intelligence provider, IntelCrawler has discovered a new ransomware variant called Locker that demands $150 (£92) to restore files that it has encrypted.
Like Cryptolocker, this new ransomware is also nasty because infected users are in danger of losing their personal files forever.
Locker mainly spreads by drive-by downloads from compromised websites, disguised itself as MP3 files and use system software vulnerabilities to infect the end user.
Once it has infected a system, malware first checks the infected machine has an internet connection or not. Then it deletes any original files from the victim’s computer after using AES-CTR for encrypting the files on infected devices and add “. perfect” extension to them.
Locker’s encryption is based on an open source tool called ‘TurboPower LockBox‘ library. After encrypting all files, the malware place a “CONTACT.TXT” file in each directory, which provides contact details of the author to buy the decryption key and once the ransom is paid, each victim gets a key to unscramble files.
The good news is that the researchers are working on the universal decryption software in order to help the victims. “It appears that the hackers are simply comparing the list of infected IP addresses of users, along with their host names,” according IntelCrawler.
IntelCrawler had discovered 50 different builds of the malware, which are being sold in underground markets for pay-per install programs. One builds had just under 6,000 infected machines. ZdNet reported.
Malware will encrypt all drives visible on an infected system, so you must be sure that your backups are stored remotely or in a location that is not simply another drive partition or mapping to another location.
The malware infects users from the United States, Turkey, Russia, Germany and the Netherlands. Users should remain vigilant about their security. Please double check the legitimacy of links received in emails and ensure you have your antivirus up to date to help protect against such threats.
An update on Cryptolocker: One of the servers that distributed Cryptolocker encryption keys that allowed the program to encrypt files has been found, and the keys that were on this server have been used by FireEye and Fox-IT Security to create