New ColdLock Ransomware Strikes in Taiwan

A seemingly new strain of ransomware was used in early May 2020 in at attack on Taiwanese organizations. It appears that the ransomware is member of an entirely new family, as it only bears minor similarities to existing ransomwares. Researchers have named the new strain ColdLock.

ColdLock - A Ransomware Threat with Some Familiar Tricks

The attack affected exclusively organizations located in Taiwan and there is no evidence of any victims outside of the few that were specifically targeted in the attack. The infiltration vector is not clear yet but experts believe the bad actors took over their victims’ MS Active Directory servers and managed to modify group policies and sneak the payload onto the systems.

Even though researchers consider the new ColdLock ransomware a separate strain, they also pointed out that there are certain similarities between ColdLock and existing ransomwares, namely the Freezing ransomware, LockerGoga and the open-sourced EDA2 ransomware, which itself was based on HiddenTear. The new ransomware shares the same encrypted file extension with LockerGoga (.locked) but this extension is not exclusive to LockerGoga and is shared by a number of other threats. The connection to Freezing is much more reliable as ColdLock uses a similar method of spreading itself over infected networks and has similarities in its module architecture.

ColdLock's payload is delivered as a .NET executable, packed and encrypted with ConfuserEx. The ransomware carries out a number of checks and preparation routines, checking if it has already infected the system and shutting down a number of processes and services. The list of extensions that ColdLock encrypts varies significantly and depends on a number of different checks and criteria that the ransomware determines on the fly. The ransom note appears in a number of different locations on the infected systems, including the desktop and startup items.