Businesses Beware: New Ransomware May Lock Out Your Computers
By Julie King | May 29, 2015
Locker v1.7 is a new "sleeper" strain of ransomware, which was dominant on infected computers until May 25, 2015. Once activated affected computers were locked and encrypted, so they could only be retrieved if a bitcoin payment was made.
The ransom demand was 0.1 bitcoins if paid in the first 72 hours, and 1 bitcoin after that.
Stu Sjouwerman, CEO of IT security company KnowBe4, issued a warning to IT managers, noting that reports on the Bleepingcomputer forum indicate that Locker has a large global install base and may have infected computers through a compromised MineCraft installer.
Sjouwerman outlines what Locker does to an infected computer as follows:
- A series of Windows services are used to install Locker on the computer and encrypt data files.
- During the install process, Locker will check if the computer is virtual machine and terminate if detected.
- Encrypts data files with RSA encryption, and does not change the file extension.
- After the encryption it deletes your c: shadow volume copies and displays its ransom interface.
- If your backups failed and you are forced to pay the ransom, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.
Some of the most popular file formats will be encrypted, including:
- Microsoft office: .doc, .docx, .xlsx, .ppt, .rtf
- Graphics files: .ai, .jpg, .psd
- Other files: .wmdb, .nef, .odf, .raw, .pem, , .raf, .dbf, .header, .wmdb, .odb, .dbf
Sjouwerman notes that Locker does not change the file extension so your users will get error messages from their applications that the file is corrupted.
Instead, Sjouwerman explains, the ransomware screen will include message stating: "Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!"
If you find yourself affected, your first avenue of recourse is to restore your backups.
Sjouerman also recommends the following:
- Patch early and patch often.
- Don't click on ads. Many new strains of malware are being carried through malvertizing where ads are placed on valid sites but redirect the clicker to a bad site that delivers the payload.
- And as always, stepping employees through effective security awareness training is a must these days.
If you enjoyed this article, be sure to visit CanadaOne's article knowledge base for more informative articles.