Unlike all other file-encrypting ransomware, when ZeroLocker starts it does not only target data files. Instead this infection will encrypt all files on your C:\ drive, including executables, with AES encryption unless they are located in certain folders or are larger than 20 MegaBytes. The folders that are safe from encryption are ones that contain the keywords: Windows, WINDOWS, Program Files, ZeroLocker, and Desktop. Any files that are encrypted, will have .encrypted appended to their filename. When it has finished encrypting your files, it will then run the C:\Windows\System32\cipher.exe /w:C:\ command, which will overwrite all deleted data on your C:\ drive. This makes it so you are unable to use file recovery tools to restore your files. It will create the C:\ZeroLocker folder and store various files and the decryptor executable called ZeroRescue.exe. This file will be set to start automatically via Registry entry when you login to your computer.
The main issue, though, is when ZeroLocker uploads your decryption key to the Command & Control server. If the C2 server was properly configured, when the private key was uploaded it would respond with a HTTP 200 status code that means that a web page was successfully accessed. Unfortunately when ZeroLocker attempts to upload its private key it receives a 404 status code because the requested web page does not exist on the server.
Therefore, the decryption key was not stored in any database or file for later recovery. In fact the only way to recover the key would be to manually filter though the HTTP access logs if they have not been overwritten or rotated already. This is obviously a coding mistake on the part of the developer and one that essentially trashes the encrypted computer as you are unable to retrieve your decryption key even if you pay the ransom. With the lack of a recoverable encryption key and the fact that it encrypts all files and not just data files, this ransomware becomes very destructive especially to companies that have custom software not being used under normal paths.
There is, though, some light at the end of the tunnel. This infection does not delete the Windows System Restore points so you can restore your files using a program like Shadow Explorer or Windows built-in Previous Version. For information on how to restore your files via these methods, please read this section from our CryptoLocker guide: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow
A big thanks to decrypterfixer for reversing this malware!