RandomLocker Ransomware

The RandomLocker Ransomware is an encryption ransowmare Trojan that PC security researchers first observed on April 27, 2018. The RandomLocker Ransomware is delivered using corrupted DOCX files attached to spam email messages. The RandomLocker Ransomware will be downloaded and installed on the victim's computer by these files, which will contain embedded macro scripts. The spam email messages used to deliver threats like the RandomLocker Ransomware will use social engineering techniques to trick the victims into opening the attached file, thus installing the threat on the affected computers.

There's Nothing Random on the RandomLocker Ransomware Attack

Threats like the RandomLocker Ransomware work by taking the victim's files hostage and then demanding the payment of a ransom from the victim. The RandomLocker Ransomware will use a strong encryption algorithm, generally the AES encryption, to make the victim's files inaccessible. The RandomLocker Ransomware targets the user-generated files, which may include media files, documents, and a wide variety of file types. The following are some of the file types that the RandomLocker Ransomware encrypts in its attack:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

Once the RandomLocker Ransomware ends the files' encryption, they become unrecoverable and easy to recognize because the RandomLocker Ransomware will mark them with the file extension '.rand.'

The RandomLocker Ransomware's Ransom Note

The RandomLocker Ransomware delivers a ransom note and an application named 'Set Up Ransomware.' The RandomLocker Ransomware's ransom note is delivered in a program window named 'RandomLocker.' The victims are supposed to enter a decryption key into the application dropped by the RandomLocker Ransomware after they pay the ransom. The RandomLocker Ransomware's ransom note, delivered in a program window, contains the following message:

'Ooops, your files have been encrypted!
Encryption was produced using unique key generated for this computer.
To decrypt files, you need to otbtain private key.
The single copy of the private key, with will allow you to decrypt the files, is located on a secret server on the internet;
The server will destroy the key within 24 hours after encryption completed.
Payment have to be made withinn 24 hours
To retrieve the private key, you need to pay 10$ in BTC
Bitcoins have to be sent to this address: 3GPg3tgwZakR5uTELzjMJRj1NarxHH9YdJ
After you've sent the payment send us an email to randomlocker@tuta.io with subject: UNLOCK [unique ID number]
If you are not familiar with bitcoin you can buy it from here:
SITE: www[.]localbitcoin[.]com
After we confirm the payment, we will send the private key so you can decrypt your system.
FILES WIL BE DETELED IN
[24H COUNTDOWN TIMER]
[TEXT BOX] [Decrypt|BUTTON]'

The RandomLocker Ransomware demands a small ransom, of about 10 USD. However, PC security researchers advise computer users to refrain from paying the RandomLocker Ransomware ransom. It is very unlikely that the people responsible for the RandomLocker Ransomware will help the victims restore their files and, even if they do, paying these ransoms allows these people to continue creating threats like the RandomLocker Ransomware and distributing them to other victims. Instead of paying the RandomLocker Ransomware ransom, malware analysts advise computer users to use file backups to restore the affected files. These file backups can be in the cloud or an independent memory device.