We reported almost two years ago about the nasty little program called Cryptolocker, which holds your files hostage, and demands expensive bitcoins in exchange for the decryption key. The malware has been evolving, with a new variant caught in the wild a couple of months ago.
According to a report by KnowBe4, a similar ransomware program has recently been activated, and is now making the rounds on the internet. Named "Locker," the program was originally quiescent, but was activated on May 25th, wreaking its havoc on hundreds of computers.
How the ransomware is installed is not exactly known. However, it was reported that Windows services will apparently be used to install Locker to a victim's computer. During installation, the program will check if the system is running on a virtual machine, and then terminate if this is confirmed. Once it installs, it will start to encrypt files using 2048-bit RSA encryption, though it will not modify file extensions. It will delete shadow volume copies of the C:\ drive, to prevent restoring files from a backup, and then display its interface, asking for ransom. Locker encrypts the following file types: .doc, .docx, .xlsx, .ppt, .wmdb, .ai, .jpg, .psd, .nef, .odf, .raw, .pem, .rtf, .raf, .dbf, .header, .wmdb, .odb, and .dbf, among others.
Like Cryptolocker, it displays a message saying, "Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!" Locker will demand 0.1 bitcoin (roughly $23), which is unusually lower than other ransoms that are sometimes as high as $500.
As of this moment, hundreds are reportedly infected, but it is not known if anyone has paid the ransom. Bleeping Computer's forums are currently flooded with posts regarding the issue, and the website has stated that the strain has a large install base, only worsening the news for those who are infected. This should be another reminder on why everyone should make sure they have backups of their data available in multiple places.
Source: KnowBe4, Bleeping Computer | Image via Bleeping Computer
18 Comments - Add comment