KoreanLocker Ransomware

The KoreanLocker Ransomware is a file encryption Trojan that is based on the infamous HiddenTear project published by Utku Sen back in August 2015 as ransomware with educational purposes. However, the project's code has been copied many times by many third parties with ill intentions. The KoreanLocker Ransomware joined the largest family of file encoders on January 8th, 2018. The payload was found to be a fake PDF document that featured a double extension. PC users received the payload as an attached PDF to spam emails. Double-clicking the file triggered a UAC (User Account Control) prompt and choosing 'Yes' allows the KoreanLocker Ransomware Trojan to be installed on the primary system partition. Lab tests of the KoreanLocker Ransomware showed that it proceeds to encipher data containers with the following extensions:

.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.

Media content creators and users who work with text, presentations, and spreadsheets often may notice that the KoreanLocker Ransomware makes objects unreadable, which causes read errors in programs that you are using to edit the targeted files. You can discern the enciphered objects by their names, which feature the '.locked' suffix. For example, 'Bran Castle.png' is renamed to 'Bran Castle.png.locked.' It is not known how much time it takes to the KoreanLocker encipher the targeted objects, but the attack does not last more than half an hour in most cases. The last steps made by the threat are eliminating the Shadow Volume snapshots and loading the ransom note onto the victim's desktop. The ransom notification is presented as a simple note titled 'README.txt,' which can be found in the Documents library and the desktop folder. The message is written in Korean and directs users to pay1 Bitcoin (≈15202 USD/12737 EUR) to the wallet — 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v. Then, an email is to be sent to 'powerhacker03@hotmail.com,' and the senders need to wait for a decryptor to arrive in their email inboxes.

Malware researchers advise caution and to refrain from negotiations with the KoreanLocker operators. Funding the development of new versions of KoreanLocker and risking your money is not something we would encourage you to do. The KoreanLocker Ransomware may run as 'hidden-tear.exe' on compromised devices, and AV companies may use the following detection names in reference to objects created and used by the Trojan:

• FileRepMetagen [Malware]
• Gen:Heur.Ransom.HiddenTears.1
• Ransom.HiddenTear/Variant
• Ransom_CRYPTEAR.SM0
• Ransomware-FTD!B067635D568F
• TrojWare.MSIL.Ransom.Ryzerlo.A
• Trojan.Encoder.10598
• Trojan.Win32.Z.Ransom.216576.U
• Trojan/Win32.Agent.R170959
• W32/S-9f9d40c6!Eldorado
• malicious_confidence_100% (W)

The ransom message displayed to compromised PC users reads (translated version):

'Your computer is infected with Ransomware
Your personal files, such as photos, documents, videos and other important documents, are encrypted using strong encryption algorithms called RSA-2048
Your private key is created and stored on our server
No one can decrypt your files forever.
And I guarantee you will never be able to decrypt without a private key.
Again, there is no way to pay for a bit coin and decode it
Be sure to check the bit coin address assigned to you. If you send it by mistake, it will not recover and your bit coin will disappear
You have to pay in '24 hours'
Be sure to check your personal ID
If you do not pay within that time, your private key will be automatically deleted from our server
Please keep in mind
Bit coin address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Create a bit coin purse and send us a bit coin (1BTC) to our bit coin address.
Follow the three steps to restore your files
Do not waste your time.
The explanatory document (.txt) in the folder to which the encrypted files belong is not a virus Explanation document (.txt) will help you decrypt the files.
You can see a document (.txt) about restoring files in the folder where the encrypted files belong
We are not good people. But in a part of the story,
Please note that the worst has already happened and that the fate of the files will depend on your judgment and quick action.
Additional information:
1) Payment is only possible with bit coin. Therefore, buy 1-bit coin (1BTC) through BITC. Then transfer the 1-bit coin (1BTC) to the screen (Random Note) bitcoin address
Please send your personal ID to the official e - mail address below.
3) .Please complete the payment and send us an e-mail, and we will send your decryption tool and private key to the e-mail of the day
4) Please send a bit coin and mail your personal ID to Korea official e-mail address.
***
Private key is the key to decrypting and recovering your files
The public key was used to encrypt your file
Official address: www.bithumb[.]com
Official address: www.coinone[.]com
Official address: www.localbitcoins[.]com
The explanatory document (.txt) in the folder to which the encrypted files belong is not a virus Explanation document (.txt) will help you decrypt the files.
Bit coin address: 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v
Officail Mail: powerhacker03@hotmail.com
***
Best Regards
Korean Ransomware Team'