Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti
New DeriaLock Ransomware Includes An 'Unlock All' Command
G Data malware analyst Karsten Hahn has come across a new ransomware family named DeriaLock, which locks your screen and requests a payment of $30.
Ransomware families generally fall in one of two categories: screen lockers (which prevent access to your computer but leave your files alone) and crypto lockers (which allow you to use your computer but encrypt all your files).
DeriaLock is from the first category, of ransomware families that lock your screen and prevent users from accessing their files or applications but leaving the data intact.
Discovered today after an anonymous user has uploaded a copy of the ransomware's binary on VirusTotal, there's no information on how the ransomware currently spreads.
Once launched into execution, DeriaLock will take the computer's MachineName identifier and generate an MD5 hash. Since malware authors often infect themselves by accident, the DeriaLock source code includes a hard-coded MD5 hash, for which the screen locker won't start. This MD5, seen below, most likely belongs to DeriaLock's author.
After checking the MD5 locally, the ransomware then contacts its command and control (C&C) server and retrieves the most current version of itself, saving the file at: C:\users\appdata\roaming\microsoft\windows\start menu\programs\startup\SystemLock.exe
DeriaLock will then run this file, which now passes all checks and starts the screen-locking behavior by showing a fullscreen window with the following ransom note:
“Your System has Locked! If you try to restart you PC ALL data will delete. If you want your data back, pay 30 USD.”
The HWID displayed in the ransom note is the same MD5 hash generated previously.
The screen locker window also includes two buttons that when clicked, provide translations of the ransom note in German and Spanish. Only the German translation button works.
According to Hahn, there was no trace of any Spanish text inside the ransomware's source code, which is the reason why the Spanish translation doesn't show anything.
Both the English and German ransom notes are full of spelling errors.
At the time of writing, Hahn says that the DeriaLock servers are still up and running, meaning the threat is currently being distributed to unsuspecting victims.
Furthermore, Hahn has also discovered that during its regular C&C server query routine, DeriaLock also checks the server for the presence of a special text file.
Based on the file's name (unlock-everybody.txt), we presume that this is a method of removing the screen locker from all infected computers at once.
Hahn tells Bleeping Computer that this file holds the value "0", which means that if the author updates this file to "1", he'll unlock all victims. Let's hope the DeriaLock author feels generous tomorrow morning on Christmas Day.
The good news is that DeriaLock requires the .NET Framework 4.5 to be installed, which means it won't work on Windows XP machines.
27/12/16 Çap et