Threat Database Ransomware ShellLocker Ransomware

ShellLocker Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: November 18, 2016
Last Seen: August 14, 2021
OS(es) Affected: Windows

The ShellLocker Ransomware is a ransomware Trojan that has been associated with various attacks around the world. The ShellLocker Ransomware uses the .NET framework to carry out its attacks and is a clear copy of a known ransomware Trojan named 'Exotic.' Like most ransomware Trojans, the ShellLocker Ransomware will encrypt the victim's files to demand a ransom. The ShellLocker Ransomware will rename the files that have been encrypted with a string of random characters and the extension '.L0cked.' The ShellLocker Ransomware displays its ransom note in a pop-up window that appears on the victim's computer.

The ShellLocker Ransomware’s Attack and Ransom

The ShellLocker Ransomware demands the payment of $100 in BitCoins to provide the means to decrypt the affected files. According to the ShellLocker Ransomware ransom note, if the payment isn't made in 48 hours, the files will be deleted ultimately. PC security analysts have not determined the exact nature of the ShellLocker Ransomware's encryption method, although it is highly likely that it uses the AES-256 encryption as most of these ransomware Trojans tend to do. Unfortunately, the files that have been encrypted by the ShellLocker Ransomware are not recoverable without the decryption key, which the con artists hold. However, PC security researchers strongly advise against paying the ShellLocker Ransomware ransom. There is little guarantee that the people responsible for the ShellLocker Ransomware attack will return access to the infected files, and they may simply ask for more money, attempt to trick the victim, or simply ignore the requests. The only way to restore the files that have been compromised by the ShellLocker Ransomware is to replace them with a backup copy, making backups especially important in the process of dealing with and preventing ransomware attacks.

How the ShellLocker Ransomware Carries out Its Attack

The ShellLocker Ransomware may be delivered as a corrupted email attachment that takes advantage of vulnerabilities in the victim's applications to download and install the ShellLocker Ransomware. Once the ShellLocker Ransomware has been dropped onto the victim's computer, it will use its advanced encryption method to compromise the victim's files, searching for certain file types, preferring media files such as audio, video and image files. The ShellLocker Ransomware displays the following two variants of its ransom note, both of which include various spelling mistakes and typos:

'YOUR PC IS LOCKED BY the ShellLocker!
ALL YOUR PHOTOS, VIDEOS, MUSIC'S ARE ENCRYPTED, YOU HAVE - HOURS TO PAY 100 USD IN BITCOINS TO THE ADDRESS BELOW, AFTER - HOURS ALL YOUR FILES WILL BE GONE! WHEN YOU PAY THE MONEY IT WILL TAKE 30 MINUTES AND YOUR FILES WILL BE BACK. TRY SOMETHING FUNNY AND YOUR FILES WILL BE GONE. YOU CAN DELETE THE WIRUS BUT YOUR FILES ARE GONE TOO! HAVE A NICE DAY.'

'YOUR PC IS LOCKED BY the ShellLocker!
ALL YPUR PHOTOS, VIDEOS, MUSIC'S ARE ENCRYPTED, YOU HAVE
IV VIII HOURS TO PAY 100 USD IN BITCOINS TO THE ADDRESS
BELOW, AFTER IV VIII HOURS ALL YOUR FLES WILL BE GONE!
WHEN YOU PAY THE MONEY IT WILL TAKE 30 MINUTES AND YOUR
FILES WILL BE BACK. TRY SOMETHING FUNNY AND YOUR FILES WILL BE GONE.
YOU CAN DELETE THE VIRUS BUT YOUR FILES ARE GONE TOO!
HAVE A NICE DAY
BITCOIN ADDRESS: [a string of 34 random characters]'

Dealing with a ShellLocker Ransomware Attack

If your files have been compromised, it will be necessary to restore them from a backup. The best method is to wipe clean the affected hard drive completely and then reinstall everything. However, for cases where this is not viable, the ShellLocker Ransomware itself should be removed before restoring the files completely. Otherwise, computer users run the risk of having their backup copies encrypted by the ShellLocker Ransomware as well. A reliable security program that is fully up to date should be able to remove the ShellLocker Ransomware infection itself, although it will not help computer users recover their files after the attack.

Update December 17th, 2018 — PewDiePie Ransomware

The PewDiePie Ransomware is a variant of the ShellLocker Ransomware that emerged during the "rivalry" between the YouTube channel of PewDiePie and an India-based music label T-Series in December 2018. Mr. Felix Arvid Ulf Kjellberg a.k.a. PewDiePie is a YouTube persona that is famous for his significant community of followers with almost no other channel coming close. However, in October of 2018, the YouTube channel for one of India's leading music label T-Series gained enough followers to compare with PewDiePie's channel. Many Web users gathered to inspire others into subscribing for videos from Mr. Felix Arvid Ulf Kjellberg. There was a case from November 2018 where a hacker exploited vulnerable printers to print out a message concerning the exploited vulnerability and an invitation to subscribe to PewDiePie's work.

A similar sentiment is believed to be shared by the ShellLocker Ransomware developers who have released the PewDiePie Ransomware via spam emails and pirated software shared on P2P networks. The PewDiePie Ransomware is observed to display a lock screen window on the infected devices and encrypt images, audio, video, text and databases. The original threat promoted a decryptor that was priced at $100 that users were directed to pay in Bitcoin. The new variant is configured to produce a slightly altered lock screen message, include a countdown timer and show a link to h[tt]ps://www.youtube[.]com/channel/UC-lHJZR3Gqxm24_Vd_AJ5Yw that is PewDiePie's channel address. Also, the encrypted data received the '.PewDiePie' suffix and something like 'Eminem-Without Me.mp3' is renamed to 'Eminem-Without Me.mp3.PewDiePie.' The lock screen by the PewDiePie Ransomware offers the following text:

'You have been Fucked By PewDiePie RansomWare.
You have 2 days to help PewDiePie win the battle against
TSeries by subscribing.
The only thing you have to do is follow the link given below.
https://www.youtube.com/channel/UC-lHJZR3Gqxm24_Vd_AJ5Yw?sub_confirmation+1='

The PewDiePie Ransomware does not save decryption keys and does not appear to send them to its masters. Unfortunately, a decryptor does not seem to be available for purchase or in exchange for a subscription to PewDiePie's YouTube channel. The PewDiePie Ransomware might be classified as a data wiper considering that decrypting the affected data may be impossible. PC users are encouraged to use data backups and file hosting services to recover their data. Removing the PewDiePie Ransomware should be possible with the help of a computer specialist and a reliable security scanner.

Detection names for the PewDiePie Ransomware include:

Artemis!5D791A7B66A3
Gen:Variant.MSILPerseus.61313
HEUR:Trojan.MSIL.Fsysna.gen
MSIL/Filecoder.BQ!tr.ransom
Ransom.ShellLocker
TROJ_GEN.R002C0RLC18
Trojan ( 005435bd1 )
Trojan.Filecoder!8.68 (CLOUD)
Trojan.MSILPerseus.DEF81
a variant of MSIL/Filecoder.PR

Trending

Most Viewed

Loading...