VASA LOCKER Ransomware

The VASA LOCKER Ransomware is a file-locking Trojan that restricts users' access to documents and similar media by encrypting the files. As a possible update of Babuk Locker Ransomware, it displays a similar ransom note and other symptoms. Users can always protect their files by backing them up to secure locations and have dedicated anti-malware products to expedite the removal of the VASA LOCKER Ransomware.

A Possible Swerve in the Campaign of Trojans Past

The Babuk Locker Ransomware, previously examined in early 2021, might be changing up its extortion mechanisms. However, this likely update, the VASA LOCKER Ransomware, is no less hostile to users' files or capable of blocking them. While malware experts can't provide indisputable confirmation, current analyses of the VASA LOCKER Ransomware's payload suggest the Trojan's being a straight-line update with new communication methods for any victims.

The VASA LOCKER Ransomware is a file-locking Trojan that blocks Windows users' documents, pictures, and other media content through the same method as the Babuk Locker Ransomware: the ChaCha8-based encryption, with SHA-256 hashing and an ECDH key for security. It also uses the same, highly-unique extension format of '__NIST_K571__' for marking each file (for example: 'document.doc.__NIST_K571__'). Removing the extension doesn't remove the encryption that stops the file from opening.

As a final note in the locker of evidence for its ancestry, the VASA LOCKER Ransomware's ransom note, a Notepad text file, is near-identical to the second Trojan's TXT message. The exception that malware analysts point to is that the VASA LOCKER Ransomware doesn't promote an anonymous TOR website for collecting its ransoms; it prefers e-mail. In either case, victims should try all other recovery methods for data before risking a ransom that may do nothing for their files.

Easily Forgotten Attacks in the Face of Blocked Files

Users with the enormous distraction of most of their files not working might miss the additional the VASA LOCKER Ransomware features. Windows users should be aware of the below functions that supplement the VASA LOCKER Ransomware's encryption feature:

• The deletion of the Restore Point-based data (Shadow Volume Copies)
• Restart Manager-based termination of processes related to viewing or managing media (SQL server tools, document readers, Web browsers, etc.)
• Remote drive access (for locking files on network-connected, unprotected drives)

Besides the VASA LOCKER Ransomware's exceptionally-broad list of programs for closing, its payload isn't wildly divergent from that of similar threats. As usual, it's Windows-based, and users of that OS are at the most risk.

Good anti-malware programs prove themselves capable of flagging the VASA LOCKER Ransomware samples and catch old versions of the Babuk Locker Ransomware. Users should avoid manually removing the VASA LOCKER Ransomware without these products' help since it has substantial risks of missing components or related threats.

The VASA LOCKER Ransomware is a fairly-transparent adjustment to a ransoming model, but the Babuk Locker Ransomware story survives in its name. Ideally, the ending should be the same, anyway: disinfecting the PC and restoring any 'locked' files from backups.