DeriaLock Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 69 |
First Seen: | December 27, 2016 |
Last Seen: | March 19, 2021 |
OS(es) Affected: | Windows |
The DeriaLock Ransomware is a ransomware Trojan that was first detected on Christmas Eve 2016. The DeriaLock Ransomware locks the victim's screen and demands the payment of $30 USD. The DeriaLock Ransomware is not designed to encrypt the victims' files and instead locks the victim's screen, preventing access to the victim's computer but leaving the victim's files intact. There is no specific information about how the DeriaLock Ransomware spreads currently, although spam email attachments are the most common method for spreading these threats.
Table of Contents
The Poor Implementation of the DeriaLock Ransomware
Once the DeriaLock Ransomware is installed, the DeriaLock Ransomware generates a unique identifier for the infected machine. The DeriaLock Ransomware will then contact its Command and Control server and download its most recent version, saving it at the following location:
C:\users\appdata\roaming\microsoft\windows\start menu\programs\startup\SystemLock.exe
After this file is executed, it locks the victim's computer by showing a full-screen window that contains the following message:
'Your System has Locked!
If you try to restart you PC ALL data will delete.
If you want your data back, pay 30 USD.
Instuctions:
Is give no other way to get you computer/data back exdcept to pay a special Key.
You can buy the Key at the following Skype account: "arizonacode".
If you contact the bellow named Skype account send him you HWID the bottom left is to be seen.
If you Spamming the skype account, you can't get you data back
After you buy the key, paste him into the textbox.'
The DeriaLock Ransomware screen locker has two buttons that provide versions of the ransom note in German and in Spanish. The Spanish translation button does nothing, meaning that it is likely that the DeriaLock Ransomware infection is unfinished. The German translation button displays the following German translation of the DeriaLock Ransomware ransom note:
'Dein System ist verschlüsselt!
Falls du deinen PC neustartest werden ALLE Dateien gelöscht.
Wenn du deine Dateien wieder haben willst, bezahle 30€.
Anleitung:
Es gibt keinen anderen Weg deinen Computer/Daten wieder zu erlangen außer einen bestimmten Schlüssel zu kaufen.
Den Schlüssel kann du bei folgenden Skypeaccount erwerben: "arizonacode".
Wenn du einen von den oben genannten Skype Accounts kontaktiert hast sende ihm deine HWID die unten Links sichtbar ist.
Falls der Account zugespammt wird, kannst du deine Dateien NICHT zurückerlangen.
Nachdem du den Schlüssel erworben hast, füge ihn in die Textbox ein.'
The spelling and grammar errors in both versions of the ransom note are contained in the original infection, evidencing the poor implementation of this threat. Apart from displaying its lock screen, the DeriaLock Ransomware will search for the following memory processes and kill them to prevent computer users to bypass the DeriaLock Ransomware screen locker:
- taskmgr
- procexp
- procexp64
- procexp32
- skype
- chrome
- steam
- MicrosoftEdge
- regedit
- msconfig
- utilman
- cmd
- explorer
- certmgr
- control
- cscript
Pressing Alt + F4 to close the DeriaLock Ransomware window simply causes a pop-up message to appear, which contains the following text:
'I think that is a bad decision. Nice try mate =)'
Dealing with the DeriaLock Ransomware
The DeriaLock Ransomware requires .NET Framework 4.5 so that it will not affect the computers using the Windows XP operating system. Newer versions of the DeriaLock Ransomware will add the .deria file extension to the victim's files. It seems, however, that the DeriaLock Ransomware still does not encrypt the victim's files but simply changes their extensions. It is not unlikely that newer versions of the DeriaLock Ransomware that do include an encryption engine will be released. PC security researchers have noted that there are ways to recover from the DeriaLock Ransomware. Malware analysts advise starting up Windows using an alternate startup method to bypass the DeriaLock Ransomware screen locker. Once access has been regained to the affected computer, a reliable security program that is fully up-to-date should be capable of detecting and removing the DeriaLock Ransomware infection from the infected computer.
SpyHunter Detects & Remove DeriaLock Ransomware
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | Endermanch@DeriaLock.exe | 0a7b70efba0aa93d4bc0857b87ac2fcb | 37 |
2. | file.exe | 0c1295f0e9b94abd144c9788cb84dcf9 | 0 |
3. | file.exe | c81e14e4f0b40cf7f7c1e6f515d88815 | 0 |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.