ULocker Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | October 3, 2012 |
| Last Seen: | January 21, 2022 |
| OS(es) Affected: | Windows |
Ulocker is a family of ransomware Trojans that use fake messages from the police in order to scare inexperienced computer users into paying substantial fees. It is easy to differentiate malware in the Ulocker family from other ransomware Trojans because they use a characteristic image that includes a background that includes a large picture of a padlock. ESG security researchers strongly advise computer users to disregard the Ulocker message and to remove this threat from their computer. It is important to remember that ransomware Trojans in the Ulocker family have absolutely no connection with the police and are instead part of a well known online scam that criminals use to prey on inexperienced computer users.
Malware in the Ulocker Family Adapts to the Infected Computer's Geographical Location
ESG security researchers have observed that the Ulocker installation process is affected by the infected computer's geographical location. This has allowed the criminals behind the Ulocker infection to adapt their ransomware attack to computers in different countries, displaying threatening messages from the police in each country's language and referring to that country's main police force. This is done during installation. When the Ulocker Trojan is installed, Ulocker detects the victim's computer's geographical location by analyzing the gate and IP data. Once this is done, Ulocker connects to a remote server and downloads text corresponding to the country code gleaned from the data. This text is superimposed on Ulocker's characteristic picture of a padlock. There are numerous variants of the Ulocker family of ransomware Trojans, corresponding mostly to the largest countries in the European Union.
Ulocker uses a scam that is well known and not difficult to understand. Basically, Ulocker threatens computer users by claiming that their computers were involved in illegal activities such as distributing child pornography. Although the Ulocker message threatens the victim with jail time, Ulocker allegedly is part of a law enforcement operation that claims that the victim must pay a substantial fine if they wish to avoid prosecution. This ransom is typically paid using a money transfer service. Common money transfer services that criminals use to demand payment include MoneyPak (mostly for North America), PaySafeCard, and Ukash. This last money transfer service, in particular, is so widely used by many ransomware Trojans that these kinds of malware infections are often referred to as 'Ukash Virus' or 'Ukash Ransomware.'
