ColdLock Ransomware
The ColdLock Ransomware is a new file-locking Trojan that has been spotted by cybersecurity researchers recently. The ColdLock Ransomware is a very high-end data-locking Trojan that appears only to target businesses. For now, the ColdLock Ransomware has been deployed against several companies located in Taiwan. However, we may see an expansion in the reach of this file-encrypting Trojan in the future. The majority of the affected data was in relation to the companies’ databases and email servers.
Propagation and Encryption
Cybersecurity researchers believe that the authors of the ColdLock Ransomware may be using vulnerable RDPs (Remote Desktop Protocols) to plant the threat on the targeted systems manually. When the ColdLock Ransomware is planted on the targeted host successfully, it will scan the contents of the system. The ColdLock Ransomware is programmed only to target certain filetypes, which are work-related – this is rather unusual as most ransomware threats go after files to ensure maximum damage. Instead of encrypting media files like music, movies, and videos, the ColdLock Ransomware searches for databases, archives, documents, and files that contain .JAVA, .HWP, .PHP, .HTML, .SH and other related extensions.
The Ransom Note
The ColdLock Ransomware would drop four ransom messages on the target’s system. Three of the four files that contain the attackers’ message are named ‘How To Unlock Files.txt,’ while the fourth is called ‘readme.tmp.’ The latter would be placed in the %APPDATA% directory. The ColdLock Ransomware also will alter the user’s wallpaper by setting up an image that directs the user to the ransom note named ‘How To Unlock Files.txt.’ Different victims report slight differences in the ransom message they received. It would appear that each victim would receive a unique email address. Two of the reported email addresses associated with the ColdLock Ransomware are ‘AleksanderEmelianenko@protonmail.com’ and ‘AleksanderEmelianenko@tutanota.com.’
The attackers do not offer proof that they are able to recover the encrypted data. There is also no mention of the ransom fee demanded. Keeping in mind the essence of the attacks and the high-profile targets, it is likely that the authors of the ColdLock Ransomware would be after a very hefty sum, likely in the tens of thousands of dollars. It is advisable to avoid negotiating with or paying cyber crooks. Instead, use a trustworthy anti-virus solution that will remove the ColdLock Ransomware from your system for good.
