Shootlock Ransomware

The Shootlock Ransomware is a hacking tool that can be classified as a data-locking Trojan. File-encrypting Trojans, like the Shootlock Ransomware, are a pain in the neck to deal with, as many of them would cause great damage to the compromised system by locking all the data present. Unfortunately, the majority of the threats like the Shootlock Ransomware are not decryptable for free.

Propagation and Encryption

Many cyber crooks that distribute ransomware threats opt to rely on mass spam email campaigns. Often, the emails would consist of a bogus message accompanied by a corrupted attachment or a fraudulent link. The goal of the attackers is to trick the user into allowing the threat to their system. Other commonly used propagation methods include:

• Torrent trackers.
• Fake application updates/downloads.
• Malvertising campaigns.
• Bogus pirated copies of popular software.
• Illicit activation tools.

The Shootlock Ransomware is designed to lock a wide array of filetypes such as .doc, .docx, .pdf, .ppt, .pptx, .xls, .xlsx, .jpeg, .jpg, .png, .gif, .mp3, .mp4, .mov, .rar, etc. Once the Shootlock Ransomware encrypts a file, it also changes its extension by adding '[VICTIM ID].[n0pr0blems@protonmail.com].shootlock.' For every victim, the Shootlock Ransomware generates a new, unique victim ID. This helps the attackers easily differentiate between the victims. A file that the user had originally named ‘golden-symbol.jpg’ will be renamed to ‘golden-symbol.jpg[VICTIM ID].[n0pr0blems@protonmail.com].shootlock’ after the encryption process has been completed.

The Ransom Note

Next, the Shootlock Ransomware would drop a ransom note on the compromised computer. The name of the file containing the ransom message of the attackers is ‘readme-warning.txt.’ In the ransom message, the authors of the Shootlock Ransomware have included six FAQs that serve to explain to the user what has happened to their files and what the attackers’ offer is. The creators of the Shootlock Ransomware demand to be paid in Bitcoin as this would help them protect their anonymity. The attackers offer to decrypt two files free of charge, provided that they do not exceed 1MB in size. This serves as a guarantee that they have a working decryption tool. Users who want to get in touch with the attackers are provided with two email addresses ‘n0pr0blems@protonmail.com’ and ‘troubleshooter@cock.li.’

Like most ransomware, Shootlock encrypts the data on an infected system and demands users pay a ransom to restore the data. As the ransomware encrypts data, it renames infected files according to the ID of the victim. The new file name includes the original name, the ID, and the email address of the attackers – on top of the aforementioned .shootlock file extension. Once everything has been encrypted a ransom note is dropped on the desktop called “Readme-warning.txt.”

The text of the ransom note reads as follows;

::: Greetings :::

Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted and now have the "shootlock" extension. The file structure was not damaged, we did everything possible so that this could not happen.

.2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay in bitcoins.

.3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee.

.4.
Q: How to contact with you?
A: You can write us to our mailbox: n0pr0blems@protonmail.com or troubleshooter@cock.li

.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files.

.6.
Q: If I don’t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.

:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

As you can see, the hackers present the information in an FAQ format. Victims are told that their data is encrypted, but that it hasn’t been damaged beyond the point of repair. Users must pay the attacker an unspecified amount, which they will learn when they get in touch with the attacker. Attackers also instruct victims on how to purchase and send bitcoin to make the payment.

Victims are given a chance to test the decryption tool for free. Users can send the attacker up to two files. The attackers will then decrypt them and send them back as proof that their tool can get the job done. This helps create a false sense of security with the victim and makes them more likely to comply with the ransom demand. The attacker promises to send the victim the decryption tools or software they need after the transaction processes.

The end of the note is dedicated to some warnings for the user. Users are told that attempting to modify infected files or restore them with third-party decryption tools could cause permanent data loss. The message says that victims should create backups of files before trying to mess with them. Unfortunately, more often than not, it is impossible to restore encrypted data without intervention from the creators.

No matter what, it is always advised that you never meet the demands of the cybercriminals. People who pay the ransom don’t always get the promised decryption tools they need. These victims go on to lose a lot of money as well as data. Removing the virus will prevent it from encrypting data further, but it doesn’t undo the damage it has already caused. The only safe and effective method to restore lost data is through a backup.

How Does Shootlock Infect Computers?

Shootlock primarily spreads through software “cracking” tools for Microsoft products. Illegal activation tools aren’t the only way that malware spreads, however. Malware spreads through Trojans, fake software updaters, spam email campaigns, and untrustworthy download websites.

Trojan viruses are a kind of program that can create chain infections by installing other malware. Spam campaigns involve sending out hundreds of emails with malicious links or malicious attachments. While most people ignore these messages, a handful of people will interact with them and infect their computers.

Malicious updates infect computers by installing viruses and malware instead of the actual software update. Untrusted download sources, such as P2P file-sharing networks and freeware sites, offer malware hidden inside seemingly-innocent products.

How to Protect Against Ransomware Infection
The first step to avoiding ransomware infection is to be more vigilant with emails. Don’t open unsolicited and dubious emails, especially ones that have links and attachments. You should also avoid using illicit and unofficial download resources. Make sure to activate and update products using official tools from the developers. Third-party updates and illegal activation tools (known as cracking tools) are often used to spread malware.

Keep your device secure by installing and using antivirus software. This software often catches a virus before it can become an issue, and will help to remove viruses that make it through the cracks.

It is not wise to trust the word of cybercriminals like the crooks behind the Shootlock Ransomware. You have nothing guaranteeing that you will get the decryption key you need even if you pay the sum demanded. Instead, you should remove the Shootlock Ransomware from your system with the help of a reputable anti-malware solution.