Locker ransomware hides until midnight on May 25th and then encrypts your data

Status
Not open for further replies.

Tony Cole

Level 27
Thread author
May 11, 2014
1,639
A new ransomware called Locker has been discovered that once installed lay dormant until midnight local time on May 25th when it would activate and encrypt your data files. Once your files were encrypted it would demand .1 bitcoins in order to decrypt your files. If payment was not made within 72 hours, the ransom price would then increase to 1 bitcoin. This ransomware is currently widespread with global targeting.



locker.jpg

Main Locker screen



Locker appears to be installed via a dropper that creates a daisy-chain installation of various Windows services that ultimately launches the Locker screen. The main dropper will be installed in C:\Windows\Syswow64 as a random name such as twitslabiasends.exe. This file will then create the Steg service that uses the C:\ProgramData\Steg\steg.exe executable. This executable will then install Tor into C:\ProgramData\Tor and create another called service called LDR. The LDR service is associated with the C:\ProgramData\rkcl\ldr.exe and will ultimately launch the rkcl.exe program which displays the Locker interface. Finally the installation will also delete all Shadow Volume Copies so that you are unable to use them to restore your files. The command used to delete the shadow volume copies is:

vssadmin.exe delete shadows /for=C:/all /quiet
The main screen for the Locker ransomware will include a version number. This version number appears to be random with titles such as Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. The Locker screen is broken up into 4 different sections labeled Information, Payment, Files, and Status. The Information screen will display the ransom note and information on what has happened to the victim's data. The Payment screen will display the victims unique bitcoin address and information on how to make payment. The Files screen will load the list of files that have been encrypted and the Status screen will display payment status information. Screenshots of the Payment and Status screen can be seen below.


payment-tab.jpg

Locker Payment Page



status-page.jpg

Locker Status Page



In the C:\ProgramData\rkcl folder there will be various files created. These files are:
  • data.aa0 - This file contains a list of the encrypted files.
  • data.aa1 - Unknown purpose
  • data.aa6 - The victim's unique bitcoin address
  • data.aa7 - An RSA key similar to:

    Quote

    <RSAKeyValue><Modulus>rvSUBZItCXDmeBBu01Imy811u41pOSTRDn9+6FpsEvXXfoBrcLgBd5ommgeT5jFRmY1/4vvsd+uXTUOG9FPBtbx1ySB9cv6/+5dU8v4SZTFIkCBIb5nXvYNzmm/lBB5OXOr6B8dkjyEr94LvUUg4B4XyFRjjjoXSUXX6ND0vbt1knN6/mBSIfkvv7XTlS5IBmbxB149t79mFcr9nu1tS9edI6s+sIUB14jFumf5xob1YG5UXOSntBDgkuIso+JXrXvB1ze4Bc7Ec1711Bmy7rfXScxpxXFb7rByZukBN5IomrY+9rTpyC4Df+pvJz/osBS0kSBS+BvIdETT/nKmIYm==<MSodulus><Exponent>ImIB</Exponent></RSAKeyValue>

  • data.aa9 - Unknown purpose
  • data.aa9 - The date the ransomware became active.
  • data.aa11 - Unknown purpose
Unfortunately, there is no dropper available at this time, so it is making it difficult to fully analyze the infection. Once we receive the dropper, we can provide a more thorough analysis. There is an active support topic here for those who want to ask questions or discuss the Locker ransomware.

Locker Ransomware Support Topic
 

Alex BK

Level 2
Apr 23, 2015
69
This is funny... I mean, hypocrisy raised to new heights. I hope the authors get arrested, they deserve it.
 

Av Gurus

Level 29
Verified
Helper
Top poster
Malware Hunter
Well-known
Sep 22, 2014
1,768
We had this stuff at 00:12 on Croatian forum - Click
Check this file:
C:\ProgramData\rkcl\ldr.exe

Eset online scan made a good job i files did nor encrypt.

Here is Virustotal results (time 12:15:10 UTC = 8/57, now 18/57)- click
 
Last edited:

Tony Cole

Level 27
Thread author
May 11, 2014
1,639
They believe this crypto ransomware came from a fake/compromised MinecraftExtreme
 

Tony Cole

Level 27
Thread author
May 11, 2014
1,639
Does anyone know of someone affected by this deadly crypto ransomware? On Bleeping Computer.com loads of people have the virus, they all have Minecraft download in common, so the experts on the forum think it may be linked to that.
 

Av Gurus

Level 29
Verified
Helper
Top poster
Malware Hunter
Well-known
Sep 22, 2014
1,768
I said above that 2 guys on Croatian forum had this.
 
Status
Not open for further replies.