Threat Database Ransomware FilesLocker Ransomware

FilesLocker Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: December 6, 2018
Last Seen: July 23, 2019
OS(es) Affected: Windows

The FilesLocker Ransomware is an encryption ransomware Trojan that was first observed on December 3, 2018. The FilesLocker Ransomware is commonly delivered through corrupted online file downloads. The purpose of the FilesLocker Ransomware, after its installation, is to make the victim's files inaccessible, take them hostage and then demand a ransom payment from the victim.

How the the FilesLocker Ransomware Attack Works

The FilesLocker Ransomware uses the AES 256 encryption to make the victim's files inaccessible. The FilesLocker Ransomware's attack targets the user-generated files, which may include a wide variety of media files, databases and documents. The FilesLocker Ransomware will encrypt the files specified below in its attack:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The FilesLocker Ransomware delivers a ransom note by changing the infected computer's desktop image. The new desktop wallpaper contains a ransom note written both in English and Chinese, which reads as follows:

'All your important files have been encrypted!
IF you understand the seriousness of the situation
Please read '#DECRYPT MY FILES#.txt' on the desktop to contact us.'

The FilesLocker Ransomware text file containing the ransom note and a program window named 'FilesLocker v2.0' displays the following message onto the victim's computer:

'All your importnat files are encrypted!
#What happened?
All your important files (database,documents,images,videos,music,etc.) have been encrypted!and only we can decrypt!
To decrypt your files,you need to buy the decryption key from us.We are the only one who can decrypt the file for you.
#Attention!
Trying to reinstall the system and decrypting the file with a third-party tool will result in file corruption,which means no one can decrypt your file.(including us),if you still try to decrypt the file yourself,you do so at your own risk!
#Test decryption! As a proof,you can email us 3 files to decrypt,and we will send you the recovered files to prove that we can decrypt your files.
#How to decrypt?
1.Buy 0.25 Bitcoin
2.Send 0.25 Bitcoin to the payment address
3.Email your ID to us,after verification,we will create a decryption tool for you.
Remember,bad things have happened,now look at your determination and action!
Email 1 fileslocker@pm.me [Copy|BUTTON]
Your ID: [random charcters] [Copy|BUTTON

Dealing with the FilesLocker Ransomware

The FilesLocker Ransomware ransom is close to 1,000 USD to be paid using digital currency. However, the advice is to avoid paying the FilesLocker Ransomware ransom or contacting the criminals responsible for the FilesLocker Ransomware attack. Instead, any possible victims should take steps to ensure that they can restore any files that become compromised by these attacks, such as having backup copies of all files and storing these copies on the cloud or on an external memory device that is updated constantly.

Update December 31st, 2018 — FilesLocker-Christmas Ransomware

The FilesLocker-Christmas Ransomware is a file encoder Trojan that appeared shortly after Christmas and managed to encode data on many devices. The FilesLocker-Christmas Ransomware was distributed via spam emails that included Christmas-styled digital cards and fake social media updates. The FilesLocker-Christmas Ransomware may be referred to as FilesLocker v2.0 Ransomware by cybersecurity researchers since it is a new variant of the recently released FilesLocker Ransomware (December 3rd, 2018). The new variant is known to encode photos, text, databases, and small audio and video files. The attack follows a Christmas theme where the user's desktop is changed to a festive background image featuring Christmas tree decorations and the following message:

'All your important files have been encrypted!
if you understand the importance of the situation
Please read the "#DECRYPT MY FILES#.txt" on the desktop to contact us'

Also, the FilesLocker-Christmas Ransomware uses the built-in speech synthesizer in Windows 10 to read the following statement:

'Hello, Merry Christams, Attention! Your documents, images, databases and other important files have been encrypted! Your documents, images, databases and other important files have been encrypted! Your documents, images, databases and other important files have been encrypted! Your documents, images, databases and other important files have been encrypted!'

The encoded data retains its original extension, but the file icons are changed, and a ransom note is presented to the desktop. As you can see above, the threat actors are using a file called to '#DECRYPT MY FILES#.txt' to send a message to the users and provide decryption services. The threat actors continue to use the 'fileslocker@pm.me' email account, but the ransom notification is a little different. The FilesLocker-Christmas Ransomware raises the ransom payment from 0.25 Bitcoin (≈950 USD) to 0.3 Bitcoin (≈1,140 USD). The notification from the FilesLocker-Christmas Ransomware reads:

'FilesLocker Ransomware v2.0
All your important files are encrypted!
#What happened?
All your important files (database,documents,images,videos,music,etc.) have been encrypted!and only we can decrypt!
To decrypt your files,you need to buy the decryption key from us.We are the only one who can decrypt the file for you.
#Attention!
Trying to reinstall the system and decrypting the file with a third-party tool will result in file corruption,which means no one can decrypt your file.(including us),if you still try to decrypt the file yourself,you do so at your own risk!
#Test decryption! As a proof,you can email us 3 files to decrypt,and we will send you the recovered files to prove that we can decrypt your files.
#How to decrypt?
1.Buy 0.3 Bitcoin
2.Send 0.3 Bitcoin to the payment address
3.Email your ID to us,after verification,we will create a decryption tool for you.
Email:fileslocker@pm.me'

However, computer security researchers note that the private decryption key needed to restore the affected data can be found within the bad code. AV companies might release a free decryptor by the time you are reading this article. You may want to know that the private key from the FilesLocker-Christmas Ransomware (a.k.a. FilesLocker v2.0) might be applied to the data encrypted by the FilesLocker v1.0 Ransomware. It is best to install a backup manager on your system and avoid relying on the decryption services sold by the FilesLocker developers.

SpyHunter Detects & Remove FilesLocker Ransomware

File System Details

FilesLocker Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe 1ccde80616dcf0c0f00603ec35a1d564 1

Trending

Most Viewed

Loading...