Locker Virus
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 406 |
First Seen: | May 26, 2015 |
Last Seen: | May 1, 2023 |
OS(es) Affected: | Windows |
The Locker Ransomware is a variant of encryption ransomware infections that have been linked to Cryptolocker and similar attacks. However, there are several characteristics specific to the Locker Ransomware that have not been observed before in connection with other attacks. However, the main Locker Ransomware attack is similar to other encryption attacks in that the Locker Ransomware targets the victims' computers and then takes them hostage by encrypting its files and demanding a fee in trade for the encryption key.
Table of Contents
The Locker Ransomware – The New Nome of an Old Tactic
The Locker Ransomware may contain a version number with the form x.xx, with a random numeral in the place of each x. The Locker Ransomware targets image files and Microsoft Office documents. Curiously enough, the Locker Ransomware does not target all files. For example, the Locker Ransomware will encrypt .jpg files, but will not encrypt files with the extension .JPG, even though they are both the same.
One curious aspect of the Locker Ransomware is that the Locker Ransomware has a fuse, rather than attacking right away. This means that it may be very difficult for computer users to pinpoint exactly which file downloaded contains the Locker Ransomware components. Although it has not been confirmed exactly what files are being used to distribute the Locker Ransomware, it tends to attack computer users using Google Chrome and these attacks have been associated with a cracked version of the popular game Minecraft released by TeamExtreme and various Websites for streaming sports. The Locker Ransomware attack was activated automatically on May 25th at midnight, using the infected computer's system clock. The Locker Ransomware may trigger at other times, but a rash of the Locker Ransomware attacks happened exactly on this date and time.
Exactly at midnight of May 25th, 2015, a Window service by the name of ldr.exe and an application named rkcl.exe was executed automatically, encrypting the victim's files and locking them away. Then a message appeared indicating that computer users had 72 hours to recover their files by making a payment of 0.1 Bitcoin. This payment is substantially less than what is demanded by other similar encryption threats. This may indicate that the Locker Ransomware is being used to target a different set of computer users or that the creation and management of these attacks are becoming more widespread. The Locker Ransomware blocks System Restore and prevents other recovery methods such as bringing back Shadow Volume copies of encrypted files.
Is the Locker Ransomware Hiding in Your Computer?
If you suspect that the Locker Ransomware is waiting to unleash its attack on your computer, PC security researchers recommend searching the ProgramData folder on your main drive. The Locker Ransomware will create folders named Digger, tor, steg, and rkcl. Steg, in particular, is created before the Locker Ransomware activates, meaning that it can be a good indicator for detecting the presence of the Locker Ransomware on a computer.
Prevention and Recovery from the Locker Ransomware Infection
The best way to protect your files from threats like the Locker Ransomware is always to back them up using cloud or an external hard drive. If your computer is synced automatically with a cloud backup service, encrypted or corrupted versions of files may replace the good versions of your files, so steps to prevent this may need to be taken. Your computer should be protected by a strong security application that is fully up-to-date. In most cases, an anti-virus program is capable of removing the Locker Ransomware infection from your computer. However, it will not be able to help you recover your files. Although paying the Locker Ransomware's ransom may help you recover them, there is no guarantee that its developers will deliver on their word.