When you are infected with this malware it will generate a unique hardware id based on the serial number of the first hard drive, the motherboard's serial number, and other information. It will then contact the malware's TOR site and check if this particular hardware ID has been encrypted already. Using the open source Crypto++ library, OphionLocker will then proceed to encrypt your data with Elliptical Curve Cryptographyany. The data files it will encrypt have the following extensions:
3fr,accdb,arw,bay,cdr,cer,cr2,crt,crw,dbf,dcr,der,dng,doc,docm,docx,dwg,dxf,dxg,eps,erf,indd,jpe,jpg,kdc,mdb,mdf,mef,mp3,mp4,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pef,pem,pfx,ppt,pptm,pptx,psd,pst,ptx,r3d,raf,raw,rtf,rwl,srf,srw,txt,wb2,wpd,wps,xlk,xls,xlsb,xlsm,xlsxWhen searching for the data files to encrypt it will perform a case-sensitive match of the extension. That means a file called test.JPG would not be encrypted, while a file called test.jpg would be. When it is done it will display the above alert and also generate numerous encrypted.txt files on your desktop and in your My Documents folder. These encrypted.txt files will contain instructions on how to access the TOR payment site to pay your ransom and receive the decryptor.
The text of the ransomware note is:
Your important files you have on this computer have been encrypted : photos, videos, document , etc.
In order to recover these files you have to go to : smu743glzfrxsqcl.tor2web.org/ and buy the key to decrypt all your files.
From now on you have 72 hours to pay or the key will be permanently deleted from our server and you won't EVER get your files back. Please go to : smu743glzfrxsqcl.tor2web.org/ to see the procedure.
You can find this text on your desktop and document folders
your hwid is :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
When you go to the ransomware site, it will prompt you to enter your hardware id. Once entered it will display the amount of ransom you are required to pay and provide a bitcoin address that you should send the payment to.
Thankfully, this ransomware does not securely delete your files or remove the shadow volume copies. Therefore it is possible to recover your files using a file recovery tool or a program like Shadow Explorer. For more information on how to do this, please see this section in the CryptoLocker guide.