May 25, 2015 was the beginning of increased reports from companies all over the world, indicating a system compromise. As the panic calls came in, it appeared that there was a new ransomware problem that was very similar to the “CryptoLocker” virus, but since that had already been diffused, the fear was that this was one that had evolved. Bleeping Computer’s Lawrence Abrams called this new variation of ransomware, ‘Locker’.
The difference in this ransomware is in the delivery mechanism. It utilizes a chain of various executables and services as the process of achieving the final stage. The Trojan Downloader makes use of the ransomware payload in a way that has been described as a ‘logic bomb’. Performing in the same way as other ransomware, Locker bombards the user’s local file system, searches for specific file extensions and then encrypts them. Leveraging AES encryption, it displays the typical ‘ransom note’ on the user’s screen, including information regarding the infection and payment, typically in .1 bitcoins, for decryption.
It is believed that Locker is a copy of Minecraft that has been specifically cracked using ‘Team Extreme’ as part of the Minecraft downloader and then making use of other malicious software is being spread to individual and company computers. As with the CryptoLocker ransomware, it takes advantage of the Microsoft Windows weaknesses to allow an executable file to be hidden as an attachment and once opened it will download to the affected system in the C:\Windows\SysWOW64 file directory as well as other service files.
The virus has the ability to affect all Windows versions, including: XP, Windows 7 and 8. It will continue a process to make an attempt to delete all VSC’s (Volume Shadow Copies) that it finds within the users file system Deletion of these files keeps the victim from making use of the “System Restore” or the “Previous Versions” tabs. Without a viable external backup, the victim will not have access to load any default versions.
This particularly vicious form of ransomware has evolved to learn some of the downfalls of other malware so that it can evade analysis. Locker will search and then terminate itself if it is running on VMware or Virtual Box, virtual machines. It will also terminate itself in the case that it detects some of the malware analytical programs, including: wireshark, fiddler, netmon, procexp, processhacker, anvir, cain, nwinvestigatorpe, uninstalltool, regshot, installwatch, inctrl5, installspy, systracer, whatchanged, and trackwinstall.
Sharon Knowles, CEO of DaVinci Forensics says:
“Cyber hacking has taken on a whole new personal aspect with ransomware. This goes beyond the once ‘expected’ attempts at accessing a company’s data and instead introduces itself in a seemingly innocent email. The method of hiding the damaging virus allows not only an individual computer to be attacked, but to infiltrate into an entire company network. DaVinci Forensics is committed to working with companies and employees through education and diligence so that critical company data as well as reputation maintains intact.’
As cybercriminals continue to develop increasingly devious malware, SA companies need to work with professional security companies to assist in the protection of their data and overall security.
*** Source***
Security Affairs.co