Threat Database Ransomware DeriaLock Ransomware

DeriaLock Ransomware

By CagedTech in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 69
First Seen: December 27, 2016
Last Seen: March 19, 2021
OS(es) Affected: Windows

The DeriaLock Ransomware is a ransomware Trojan that was first detected on Christmas Eve 2016. The DeriaLock Ransomware locks the victim's screen and demands the payment of $30 USD. The DeriaLock Ransomware is not designed to encrypt the victims' files and instead locks the victim's screen, preventing access to the victim's computer but leaving the victim's files intact. There is no specific information about how the DeriaLock Ransomware spreads currently, although spam email attachments are the most common method for spreading these threats.

The Poor Implementation of the DeriaLock Ransomware

Once the DeriaLock Ransomware is installed, the DeriaLock Ransomware generates a unique identifier for the infected machine. The DeriaLock Ransomware will then contact its Command and Control server and download its most recent version, saving it at the following location:

C:\users\appdata\roaming\microsoft\windows\start menu\programs\startup\SystemLock.exe

After this file is executed, it locks the victim's computer by showing a full-screen window that contains the following message:

'Your System has Locked!
If you try to restart you PC ALL data will delete.
If you want your data back, pay 30 USD.
Instuctions:
Is give no other way to get you computer/data back exdcept to pay a special Key.
You can buy the Key at the following Skype account: "arizonacode".
If you contact the bellow named Skype account send him you HWID the bottom left is to be seen.
If you Spamming the skype account, you can't get you data back
After you buy the key, paste him into the textbox.'

The DeriaLock Ransomware screen locker has two buttons that provide versions of the ransom note in German and in Spanish. The Spanish translation button does nothing, meaning that it is likely that the DeriaLock Ransomware infection is unfinished. The German translation button displays the following German translation of the DeriaLock Ransomware ransom note:

'Dein System ist verschlüsselt!
Falls du deinen PC neustartest werden ALLE Dateien gelöscht.
Wenn du deine Dateien wieder haben willst, bezahle 30€.
Anleitung:
Es gibt keinen anderen Weg deinen Computer/Daten wieder zu erlangen außer einen bestimmten Schlüssel zu kaufen.
Den Schlüssel kann du bei folgenden Skypeaccount erwerben: "arizonacode".
Wenn du einen von den oben genannten Skype Accounts kontaktiert hast sende ihm deine HWID die unten Links sichtbar ist.
Falls der Account zugespammt wird, kannst du deine Dateien NICHT zurückerlangen.
Nachdem du den Schlüssel erworben hast, füge ihn in die Textbox ein.'

The spelling and grammar errors in both versions of the ransom note are contained in the original infection, evidencing the poor implementation of this threat. Apart from displaying its lock screen, the DeriaLock Ransomware will search for the following memory processes and kill them to prevent computer users to bypass the DeriaLock Ransomware screen locker:

  • taskmgr
  • procexp
  • procexp64
  • procexp32
  • skype
  • chrome
  • steam
  • MicrosoftEdge
  • regedit
  • msconfig
  • utilman
  • cmd
  • explorer
  • certmgr
  • control
  • cscript

Pressing Alt + F4 to close the DeriaLock Ransomware window simply causes a pop-up message to appear, which contains the following text:

'I think that is a bad decision. Nice try mate =)'

Dealing with the DeriaLock Ransomware

The DeriaLock Ransomware requires .NET Framework 4.5 so that it will not affect the computers using the Windows XP operating system. Newer versions of the DeriaLock Ransomware will add the .deria file extension to the victim's files. It seems, however, that the DeriaLock Ransomware still does not encrypt the victim's files but simply changes their extensions. It is not unlikely that newer versions of the DeriaLock Ransomware that do include an encryption engine will be released. PC security researchers have noted that there are ways to recover from the DeriaLock Ransomware. Malware analysts advise starting up Windows using an alternate startup method to bypass the DeriaLock Ransomware screen locker. Once access has been regained to the affected computer, a reliable security program that is fully up-to-date should be capable of detecting and removing the DeriaLock Ransomware infection from the infected computer.

SpyHunter Detects & Remove DeriaLock Ransomware

File System Details

DeriaLock Ransomware may create the following file(s):
# File Name MD5 Detections
1. Endermanch@DeriaLock.exe 0a7b70efba0aa93d4bc0857b87ac2fcb 37
2. file.exe 0c1295f0e9b94abd144c9788cb84dcf9 0
3. file.exe c81e14e4f0b40cf7f7c1e6f515d88815 0

Trending

Most Viewed

Loading...