Sauron Locker Ransomware

The Sauron Locker Ransomware is a screen locker designed to target mobile devices. The Sauron Locker Ransomware was first observed on April 15, 2019. PC security researchers have studied the Sauron Locker Ransomware in detail after gaining access to a leaked version of its code. Using the Sauron Locker Ransomware, PC security researchers were able to access the Sauron Locker Ransomware's Command and Control Web panel and observe how the Sauron Locker Ransomware works.

Why the Sauron Locker Ransomware Encrypts the PC Users’s Files

The sample of the Sauron Locker Ransomware Trojan that malware analysts observed has SHA-1 ed6b6b90c481375cb6eaffd7c46d2180ef09e6c9. It uses the file name 'nsdh.apk' in its distribution. This version of the Sauron Locker Ransomware Trojan was being distributed as a cracked version of 'Clash Royale' a popular mobile game developed by Supercell. While the official application for this mobile video game is available the Google Play store and on iTunes for iOS devices, criminals distribute the Sauron Locker Ransomware by claiming that computer users can get a free, cracked version of this game through third-party websites. This is a common method of distributing malware, and computer users are strongly advised to take precautions and never download video games or any other software from these sources.

How the Sauron Locker Ransomware Attack Works

The Sauron Locker Ransomware functions by locking victims' screens. When the Sauron Locker Ransomware is installed on the victim's device, the Sauron Locker Ransomware will create a lock screen that starts up as soon as the victim launches the threatening application used to distribute the Sauron Locker Ransomware. This particular version of the Sauron Locker Ransomware targets the users located in Russian speaking regions since its lock screen displays a message in Russian. The Sauron Locker Ransomware lock screen in the version observed by PC security researchers displays the following lock screen message:

'ВАШ ТЕЛЕФОН БЫЛ ЗАБЛОКИРОВАН
ПРОВЕРИТЬ ОПЛАТУ И РАЗБЛОКИРОВАТЬ'

'YOUR PHONE WAS BLOCKED
CHECK PAYMENT AND UNBLOCK'

The Sauron Locker Ransomware lock screen has a brand logo and a white strip in its design. Malware researchers have linked the Sauron Locker Ransomware to a digital currency miner that is also installed on the victim's device, eating up the victim's device's resources, data, and bandwidth as it uses these to mine for digital currency. The Sauron Locker Ransomware has geographical location components that allow it to demand ransom payments that change depending on the victim's location. Victims in Europe are charged a ransom of around 10 USD while victims' in the United States will be charged hundreds of US dollars in exchange for unlocking the affected device.

Protecting Your Device from Threats Like the Sauron Locker Ransomware

The Sauron Locker Ransomware is still in development and may not be distributed in its present form currently. Hackers and malware developers are generally aware of what PC security researchers have done to track their activities and may take steps to bypass some aspects of security measures that may be instituted as a result of PC security analysts studying the Sauron Locker Ransomware's code. The best protection against threats like the Sauron Locker Ransomware is to download applications only from genuine sources such as the Google Play store or iTunes and avoid cracked software and other suspicious file downloads. If your device becomes infected, it will be important to restore it to the factory settings and to refrain from paying any ransom, which does not guarantee in any way that the device will be clean of the infection.