Locker Virus

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 406
First Seen: May 26, 2015
Last Seen: May 1, 2023
OS(es) Affected: Windows

The Locker Ransomware is a variant of encryption ransomware infections that have been linked to Cryptolocker and similar attacks. However, there are several characteristics specific to the Locker Ransomware that have not been observed before in connection with other attacks. However, the main Locker Ransomware attack is similar to other encryption attacks in that the Locker Ransomware targets the victims' computers and then takes them hostage by encrypting its files and demanding a fee in trade for the encryption key.

The Locker Ransomware – The New Nome of an Old Tactic

The Locker Ransomware may contain a version number with the form x.xx, with a random numeral in the place of each x. The Locker Ransomware targets image files and Microsoft Office documents. Curiously enough, the Locker Ransomware does not target all files. For example, the Locker Ransomware will encrypt .jpg files, but will not encrypt files with the extension .JPG, even though they are both the same.

One curious aspect of the Locker Ransomware is that the Locker Ransomware has a fuse, rather than attacking right away. This means that it may be very difficult for computer users to pinpoint exactly which file downloaded contains the Locker Ransomware components. Although it has not been confirmed exactly what files are being used to distribute the Locker Ransomware, it tends to attack computer users using Google Chrome and these attacks have been associated with a cracked version of the popular game Minecraft released by TeamExtreme and various Websites for streaming sports. The Locker Ransomware attack was activated automatically on May 25th at midnight, using the infected computer's system clock. The Locker Ransomware may trigger at other times, but a rash of the Locker Ransomware attacks happened exactly on this date and time.

Exactly at midnight of May 25th, 2015, a Window service by the name of ldr.exe and an application named rkcl.exe was executed automatically, encrypting the victim's files and locking them away. Then a message appeared indicating that computer users had 72 hours to recover their files by making a payment of 0.1 Bitcoin. This payment is substantially less than what is demanded by other similar encryption threats. This may indicate that the Locker Ransomware is being used to target a different set of computer users or that the creation and management of these attacks are becoming more widespread. The Locker Ransomware blocks System Restore and prevents other recovery methods such as bringing back Shadow Volume copies of encrypted files.

Is the Locker Ransomware Hiding in Your Computer?

If you suspect that the Locker Ransomware is waiting to unleash its attack on your computer, PC security researchers recommend searching the ProgramData folder on your main drive. The Locker Ransomware will create folders named Digger, tor, steg, and rkcl. Steg, in particular, is created before the Locker Ransomware activates, meaning that it can be a good indicator for detecting the presence of the Locker Ransomware on a computer.

Prevention and Recovery from the Locker Ransomware Infection

The best way to protect your files from threats like the Locker Ransomware is always to back them up using cloud or an external hard drive. If your computer is synced automatically with a cloud backup service, encrypted or corrupted versions of files may replace the good versions of your files, so steps to prevent this may need to be taken. Your computer should be protected by a strong security application that is fully up-to-date. In most cases, an anti-virus program is capable of removing the Locker Ransomware infection from your computer. However, it will not be able to help you recover your files. Although paying the Locker Ransomware's ransom may help you recover them, there is no guarantee that its developers will deliver on their word.

Related Posts

Trending

Most Viewed

Loading...