A new and dangerous strain of sleeper ransomware was activated last week, catching hundreds of infected users by surprise, according to an alert from IT security firm KnowBe4.
Dubbed “Locker,” the ransomware laid dormant on victim’s personal computers until midnight on May 25, 2015 when it officially “woke up.” The “sleeper” malware, which encrypts users’ files and holds them for a fee or ransom, appears to have infected computers several months ago but remained inactive until now.
According to KnowBe4’s CEO Stu Sjouwerman, the ransomware is very similar to Cryptolocker, a particularly nasty piece of ransomware which puts infected users in danger of losing their personal files forever. Spread through email attachments, antivirus companies identified this ransomware in 2013 targeting companies through phishing attacks.
A 2014 KnowBe4 White Paper explained, “One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a ransom, usually in Bitcoins, in order to receive the key to decrypt the les.”
“But Cryptolocker is just one approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis,” the report added.
Locker ransomware shows just how dangerous this evolution is. Since the ransomware was activated, it has been wreaking havoc. Bleepingcomputer, a technical support community, has a support thread that is 14 pages long and they have received 100s of emails from consultants all over the world. Reddit has a topic on Locker with over 600 comments.
Like Cryptolocker, Locker displays a message saying, "Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!"
Sjouwerman indicated this is used as a scare tactic, forcing the user to pay.
This is what Locker does:
- A series of Windows services are used to install Locker on the computer and encrypt data files;
- During the install process, Locker will check if the computer is virtual machine and terminate if detected;
- Encrypts data files with RSA encryption, and does not change the file extension;
- After the encryption it deletes your c:\\ shadow volume copies and displays its ransom interface; and
- If your backups failed and you are forced to pay the ransom, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.
KnowBe4 noted that some of the most commonly utilized file extensions impacted include: .doc, .xlsx, .ppt, and .jpg. Instead of adjusting the file extension, Locker does not affect it at all, making it impossible for someone to know that their system has been compromised.
In response, an Internet user claiming to be Locker’s creator released a message in a PasteBin post apologizing for the campaign.
“I am the author of the Locker ransomware and I’m very sorry about that [sic] has happened. It was never my intention to release this,” the post stated. “I uploaded the database to mega.co.nz containing ‘bitcoin address, public key, private key’ as CSV. This is a dump of the complete database and most of the keys weren’t even used. All distribution of new keys has been stopped.”
Sjouwerman speculated that the creator is a talented coder, but probably not an experienced cybercriminal. Furthermore, the fact that the ransomware is built as a “sleeper” means it took months of careful meaning, indicating the creator knew what he was doing. If the creator of the malware truly had remorse, the ransoms would likely have been refunded, which has not happened.
“The author seems to have either made so much money that he’s pulling out of this criminal campaign, or has gotten cold feet and is afraid to get caught either by law enforcement or damaged by a local cyber mafia,” Sjouwerman said.
To protect against ransomware like Locker, Sjouerman recommends backing up systems and keeping patches up to date; avoiding clicking on any ads that may appear on screen; and that employers keep their employees informed and up to date, with training and awareness measures, so they can avoid malware damage.
“As always, stepping employees through effective security awareness training is a must these days,”Sjouwerman said.
