Copycat Ransomware “Locker” Emerges

7933306_sProbably the hottest new development in malware this year has been the widespread emergence of ransomware.  As the name implies, ransomware is a form of malware that takes your computer hostage and demands you pay a ransom before it sets the computer free.   In late 2013, the ransomware CryptoLocker emerged as a major new threat with an ingenious albeit malicious design.

CryptoLocker worked its way onto computers through a Trojan attachment that hid the fact it was an executable.  It then installed itself as an anonymous file in your Documents and Settings Folder, and proceeded to encrypt important files throughout your local or mapped network drive.  Encrypted files would be locked and held for ransom, and CryptoLocker would notify you of the situation by presenting an ultimatum on screen.

PAY $300 IN THE NEXT 72 HOURS OR YOU WILL NEVER SEE YOUR FILES AGAIN!

According to reports, payment would then supply users with access to CryptoLocker’s software, which supposedly unencrypted the files and returned them safely to the user.  Estimates state that only about 3% of users actually paid, and of this minority even fewer actually got their files back.  Most experts have agreed that CyptoLocker is essentially unbreakable, and part of the reason is that many variants demanded Bitcoin payment, which allowed CryptoLocker’s creators to operate in anonymity.

Copycat Locker

Just last week, a new type of ransomware called Locker emerged across the United States and Europe.  Based off of CryptoLocker, Locker is decidedly less advanced but still surprisingly infectious.  Locker is spreading via drive-by downloads that once again hide the executable extension and then begin encryption.

With Locker, the encryption process has two new components.  Firstly, Locker copies its hostage files, replaces their extension with .perfect, and then deletes their contents. From there, Locker places a file called contact.txt into each hostage directory.  Contact.txt is readable and usually contains the phone number to a pay-as-you-go mobile phone or the address to an anonymous email, as well as an activation key.

In the end, infected users are prompted to contact the person listed in contact.txt.  Reports have stated that at this point, users are usually met with demands of around $150 to obtain a decryption key to unlock the hostage files.  As with CryptoLocker, chances of actually getting your files back are slim.

The Good News

So far, the good news about Locker is that it is relatively less threatening than CryptoLocker, which used 256-bit encryption combined with other advanced methods to lock files.  In addition, one start-up security software company, IntelCrawler, has already announced effective decryption.

Still, Locker is circulating, and anyone spending any amount of time downloading files on the Internet would do well to keep a cautious eye.  One of the most popular vectors currently in use are files that look like .mp3s but are actually .exes.  So, for those of you still pirating music from less than legitimate sources, watch out!

As for the rest of us, Emsisoft and a bit of discretion should have you covered.

Have a Great (Malware Free) Day!