KwaakLocked Ransomware

The KwaakLocked Ransomware is a ransomware Trojan that seems to be one of the many variants of HiddenTear being used today to attack computer users. HiddenTear is an open source ransomware platform that was released in 2015 and has been accounted for countless variants since its initial release. The KwaakLocked Ransomware is a fairly generic HiddenTear variant with little to differentiate it from the many other threats derived from this source. The KwaakLocked Ransomware seems to target computer users located in Korea or that speak Korean, judging from the distribution campaign associated with the KwaakLocked Ransomware and by studying the KwaakLocked Ransomware's code.

How the KwaakLocked Ransomware Attacks a Computer

The KwaakLocked Ransomware is typically delivered to victims in the form of a corrupted Microsoft Word file attachment, which is distributed using spam emails. The victim will be greeted with an error message when opening the file, which will use planted macro scripts to download and install the KwaakLocked Ransomware onto the victim's computer. Once the KwaakLocked Ransomware has been installed, the KwaakLocked Ransomware will scan the affected computer for various types of user-generated files and use the AES 256 encryption to make these files inaccessible. The KwaakLocked Ransomware stores the decryption key needed to recover the affected files on its Command and Control servers, and there is currently no way of obtaining it from the affected computer. The KwaakLocked Ransomware's encryption method will make the modified files easily recognizable because the KwaakLocked Ransomware adds the file extension '.kwaaklocked' to the affected file's names. The files that are targeted by the KwaakLocked Ransomware and similar threats in these infamous attacks:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

The KwaakLocked Ransomware's Ransom Note and Demands

The KwaakLocked Ransomware encrypts the files and then delivers a ransom note. The KwaakLocked Ransomware takes the victim's files hostage, and its ransom note is a demand for money that will buy the decryption key needed to restore the affected files. The KwaakLocked Ransomware's ransom note is contained in a text file named 'READ_IT.txt' dropped on the infected computer's desktop. The KwaakLocked Ransomware's ransom note includes the default HiddenTear text, and there is no email account or Bitcoin wallet address so that the victim can't make a ransom payment (making it clear that the criminals have no intention of helping the victims of the KwaakLocked Ransomware attack recover their data). The following is the text contained in the KwaakLocked Ransomware's ransom note:

'Files has been encrypted with kwaak
Send me some bitcoins'

The KwaakLocked Ransomware does not modify the HiddenTear's file process, and it runs as 'hidden-tear.exe' on the infected computers. Because of the sparse nature of the KwaakLocked Ransomware's ransom note and the bare bone implementation of HiddenTear, PC security researchers suspect that the KwaakLocked Ransomware may still be unfinished or under development. In its current state, the KwaakLocked Ransomware wipes the victim's data since the files encrypted by the KwaakLocked Ransomware will no longer be recoverable. Because of this, the best protection against the KwaakLocked Ransomware is to have file backups on an external memory device or the cloud. This allows the recovery of the encrypted files after an attack, following the removal of the KwaakLocked Ransomware and the encrypted copies of the affected files.