Threat Database Ransomware Alma Locker Ransomware

Alma Locker Ransomware

By GoldSparrow in Ransomware

The Alma Locker Ransomware is a ransomware Trojan that is being delivered to victims by the RIG Exploit Kit currently. The Alma Locker Ransomware was first observed in August of 2016. The Alma Locker Ransomware's attack is fairly typical; the Alma Locker Ransomware encrypts its victims' data and then demands a payment of one BitCoin be carried out before five days are up, threatening to delete the victim's data permanently. The Alma Locker Ransomware does have a working Command and Control server to which victims can connect by using TOR. The Alma Locker Ransomware uses an advanced encryption algorithm to make the victim's data inaccessible without a decryption key, which is held from the victim until the ransom is paid.

It is Easy to Recognize the Files Encrypted by the Alma Locker Ransomware

Unfortunately, at this time, it is not possible to decrypt the files encrypted by the Alma Locker Ransomware without access to the decryption key. However, it is possible that in the near future malware researchers will release a decryption utility, as has been the case with other ransomware attacks. The Alma Locker Ransomware may enter the victim's computer after the victim is directed to a compromised Website containing the RIG Exploit Kit. After the Alma Locker Ransomware is installed, it generates an extension made up of five random characters that is added to the end of each encrypted file. The Alma Locker Ransomware also generates a unique ID number for the victim, which is derived from the serial number of the C:/ hard drive and the MAC address of the infected computer. The Alma Locker Ransomware will then search all drives on the infected computer for files with certain file extensions and encrypt them with AES-128 encryption. Each time the Alma Locker Ransomware encrypts a file, it adds the extension it generated to the end of the file. The Alma Locker Ransomware encrypts the following file types:

.1cd, .3ds, .3gp, .accdb, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer, .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib, .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank, .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .mdb, .mdf, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .qbb, .qbw, .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd, .xls, .xlsm, .xlsx, .xml.

During its encryption process, the Alma Locker Ransomware will skip folders with the following strings:

$recycle.bin
system volume information
program files
programdata
program files (x86)
windows
internet explorer
microsoft
mozilla
chrome
appdata
local settings
recycler
msocache
Unlock_files_

After encrypting the victim's files, the Alma Locker Ransomware displays a ransom note that contains links to a TOR payment site and downloads the decryption key. The Alma Locker Ransomware connects to its Command and Control server to receive information about payment and how many times there is left on the five-day countdown. Currently, it is unknown what happens after the five-day countdown is finished. While it is possible that the ransom amount is increased, it is also likely that it will simply refuse to decrypt the victim's files.

Preventing the Alma Locker Ransomware Infections

The best way to deal with threats like the Alma Locker Ransomware is to restore the encrypted files from a backup. Prevention is key when dealing with ransomware and having backups of all important files makes computer users invulnerable to attacks like the Alma Locker Ransomware essentially. You should use an up-to-date security program to monitor online activity and intercept attacks that could try to infiltrate your computer. Since the Alma Locker Ransomware is distributed using an exploit kit, ensuring that all of your software is updated can prevent these attacks.

Trending

Most Viewed

Loading...