Lockedfile Ransomware

The Lockedfile Ransomware is a file-locking Trojan that's from the Xorist Ransomware kit. Members of this family can stop files from opening by encrypting them; this variant's campaign extorts a ransom for data recovery over SMS, with an unknown price. Users can protect their digital media files by backing them up and removing the Lockedfile Ransomware with trusted cyber-security products.

A Free Trojan for Everyone Who Doesn't Want One

Freeware Trojans like Hidden Tear and the Xorist Ransomware are not as well-protected or maintained as a Ransomware-as-a-Service, but offer convenience as the benefit to the tradeoff. The Lockedfile Ransomware is a newer entry into the latter group, which continues the pattern of Hidden Tear's neglect in favor of alternatives that are more easily-customized or more effective for the time investment. This file-locking Trojan is a work-in-progress, but the worst of its payload performs precisely as its threat actor intends.

The Lockedfile Ransomware uses similarly-extortionist plans as other members of its ever-growing, free-to-use family, like the Dulgtv Ransomware, the Bl9c98vcvv Ransomware, the YaKo Ransomware, or the also-new Flubo Ransomware. It begins with locking the user's media files, such as documents, by encrypting them and injects its campaign extension into their names for tagging purposes. Xorist Ransomware variants usually are only on Windows environments and aren't widely-considered conveniently-portable to other operating systems.

Although this family includes a wallpaper-changing feature, malware experts have yet to confirm its use here. The Lockedfile Ransomware does happen to create a stereotypical pop-up alert: a description of the encryption attack, with a (probably fake) warning about media deletion for users who enter the wrong password and an SMS template for negotiations over buying the data's unlocking service from the threat actor.

It's noteworthy that the Lockedfile Ransomware, in its current state, isn't ready for 'the wild.' The Trojan uses a placeholder for its SMS information and any victims can't buy the decryptor.

Unexpected Benefits to Half-Done Payloads

A Trojan's payload not providing tangible ransoming information might be a blessing in disguise for any users on the other end of its attacks. Since Xorist Ransomware's family isn't a traditionally-maintained Ransomware-as-a-Service, there is a free decryption tool for restoring files. Users can unlock their work through it or ignore it in favor of recovering from their latest, unaffected backup.

The latter's efficiency is why malware researchers always encourage users to save their work onto other, protected devices. Doing so regularly will take any leverage out of the extortion scenarios of threats like the Lockedfile Ransomware. Readers also should remember that free decryptors are far from universal and that many Trojans come from families that lack them entirely.

Most cyber-security products will detect Xorist Ransomware members as threatening to the PC. Assuming they have access to these services, users can disinfect their systems by removing the Lockedfile Ransomware and stop drive-by-downloads and other exploits in their tracks.

The Lockedfile Ransomware is a problem for some unfortunate users that will worsen as its threat actor puts more work into it. With a ransom hidden from plain sight, there's little knowing how much this Trojan is worth to its author or how much someone's files are worth to them.