TWLWLocker

By GoldSparrow in Trojans

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: September 14, 2017
Last Seen: February 18, 2022
OS(es) Affected: Windows

PC security researchers first noticed the TWLWLocker attacks on September 4, 2017. The TWLWLocker is a screen locker. The TWLWLocker is being distributed by a group of con artists that are calling themselves 'Team WinLocker.' This may refer to the Winlocker Trojan, which first appeared in 2013. That previous Trojan locked the victims' screen to prevent them from accessing their desktops or files, as well as system tools. This Trojan demanded an unlock code, which the victims would have to purchase from the people responsible for the attack. The TWLWLocker does seem to be related to this previous screen locker Trojan, although the TWLWLocker attack is more sophisticated than its predecessor's.

The Vicious Attack Perpetrated by the TWLWLocker

The recently uncovered version of this attack is nearly identical to the 2013 version of this screen locker. However, the TWLWLocker has stronger obfuscation, meaning that it is designed to make it difficult for PC security researchers to study it or anti-virus software detect it. The TWLWLocker makes changes to the Windows HOSTS file, which determines how the connections to the Internet are carried out. This means that the TWLWLocker also will affect the victim’s Web browser and online activity. The TWLWLocker seems to be targeted towards Russian speakers since the TWLWLocker will block various websites and servers that are designed for computer users in Russian speaking regions specifically.The TWLWLocker will block access to the following websites (note the large number of websites with .ru domains):

  • an.yandex.ru
  • bs.yandex.ru
  • google.com
  • google.ru
  • m.vk.com
  • mail.ru
  • mail.ru
  • mc.yandex.ru
  • odnoklasniki.ru
  • vk.com
  • vk.me
  • vk.ru
  • vkontakte.ru
  • www.mail.ru
  • www.odnoklasniki.ru
  • yandex.com
  • yandex.ru

The TWLWLocker will run as 'TWLW Locker.exe' on the infected computer and include the string TWLW Locker' in the properties and detail panels. The TWLWLocker has two different variants that are being used in attacks against computer users.

Dealing with the TWLWLocker Trojan

Dealing with the TWLWLocker can be difficult, although it is not as threatening as encryption ransomware Trojans. The best way for computer users to regain access to their computers is to use different start-up method, such as Safe Mode to regain access to Windows. Once access is restored to the victim's desktop and files, a security program that is fully up-to-date should be used to remove the TWLWLocker completely. Since these threats are often distributed along with numerous other threats, it is likely that if one ransomware Trojan is present on a computer, then others may be as well. Because of this, following the recovery from a TWLWLocker infection, it is important to take steps to perform a full threat scan of the affected computer. The TWLWLocker may be detected by anti-virus software as some of the following aliases:

  • MSIL/LockScreen.DM
  • RANSOM_SCRNLOCKER.J
  • Ransom-TWLWLock!5D1D25D7C3B4
  • TR/LockScreen.osiei
  • Trojan ( 004cdd861 )
  • Trojan.GenericKD.12240429
  • Trojan.GenericKD.5953586 (B)
  • Trojan.Ransom.ScreenLocker
  • W32/Trojan.ZRQW-6157
  • malicious_confidence_60% (W)

Preventing a TWLWLocker Attack

The TWLWLocker and similar threats are delivered to victims online. The TWLWLocker may be installed on a computer in several ways, including the following:

  1. By far, the most common way in which victims may become infected with threats like the TWLWLocker is by opening corrupted spam email attachments. These spam email messages may use social engineering techniques to trick computer users into downloading and installing threats like the TWLWLocker.
  2. The TWLWLocker also may be contracted after clicking on a corrupted online advertisement or link. These are often found on shady websites, which may include websites with pornographic content, online casinos, and other low-quality Web pages and content.
  3. Threats like the TWLWLocker may spread using social engineering. Because of this, treat things you read and download from the Web with a dose of skepticism. For example, the TWLWLocker may be disguised as a file download on a file-sharing website, claiming to be a popular video, music file or eBook. Being careful with file downloads like this one is an important way to prevent these infections.

Trending

Most Viewed

Loading...