There is a detailed guide on Locker, how it works, and what you should do if you are infected at the below link:
Locker Ransomware Information Guide and FAQ
The Locker ransomware is a computer infection that silently runs on a victim's computer until May 25 Midnight local time at which point it became active. Once active, it will begin to encrypt the data files on the computer with what appears to be RSA encryption. When encrypting the data files it will not change the extension of the file. Therefore, the only way to determine if the file is encrypted is by trying to open it and being told that the file is corrupt or not usable.
After the Locker ransomware encrypts your data it will delete your shadow volume copies and then display the Locker interface. This interface will be titled Locker and then a random version number. This version number does not appear to have any significance. Some example titles are Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. This Locker screen will give you information on how to pay the ransom, your unique bitcoin address to send the ransom to, a list of encrypted files, and a page to check the status of your payment.
Main Locker screen
It should be noted that this infection only clears the Shadow Volume Copies for the C:\ drive. Therefore, if you store data on other drives, you can use the Shadow Volume Copies to restore your data. There are also reports that the infection is not always able to delete any shadow volume copies, so to be safe it is advised that you at least try to restore your files using Shadow Explorer as described in the link below:
The ransomware will also have a scary warning at the bottom of the Locker interface that states:
Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!
Please do not be concerned about this message. This is just a method for them to scare you into paying the ransom.
If you do decide to pay the ransom, which should be avoided if at all possible, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.
The exact process as to how the Locker ransomware is installed is currently unknown. What we do know is that there are a series of Windows services that are used to install Locker on the computer and encrypt the files. At some point a dropper will be installed in the C:\Windows\System32 or C:\Windows\Syswow64 and uses a random file name such as twitslabiasends.exe. This file will be installed as a service and when started will create the Steg service in C:\ProgramData\Steg\steg.exe. The steg service will then install Tor in C:\ProgramData\Tor and create another called service called LDR. The LDR service is associated with the C:\ProgramData\rkcl\ldr.exe and will ultimately launch the rkcl.exe program which displays the Locker interface.
The TOR client is used to communicate with the TOR Command & Control server located at jmslfo4unv4qqdk3.onion.
When data files are encrypted, the known file types it targets include :
3fr,accdb,ai,arw,bay,cdr,cer,cr2,crt,crw,dbf,dcr,der,dng,doc,docm,docx,dwg,dxf,dxg,eps,erf,indd,jpe,jpg,kdc,mdb,mdf,mef,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pef,pem,pfx,ppt,pptm,pptx,psd,pst,ptx,r3d,raf,raw,rtf,rw2,rwl,srf,srw,wb2,wpd,wps,xlk,xls,xlsb,xlsm,xlsxThese files will be encrypted, but they will not have their extensions changed. As more extensions are determined, we will add them to the list.
Finally the installation will also delete all Shadow Volume Copies so that you are unable to use them to restore your files. The command used to delete the shadow volume copies is:
vssadmin.exe delete shadows /for=C: /all /quietDuring the install process, Locker will check if the computer is a VirtualBox or Vmware virtual machine and terminate if detected. It will also search for the following processes and if they are found, terminate the installation process:
wireshark,fiddler,netmon,procexp,processhacker,anvir,cain,nwinvestigatorpe,uninstalltool,regshot,installwatch,inctrl5,installspy,systracer,whatchanged,trackwinstallAt this point, the Locker ransomware will only target Shadow Volume Copies on the C:\ drive. So if there are Shadow Volume Copies present on other drives then it may be possible to use them to restore your files. Furthermore, it is not uncommon for these types of infections to sometimes not be able to properly delete Shadow Volume Copies, so it is always wise to try and restore from them. For information on how to restore via Shadow Volume Copies, please see this url:
Finally, while rkcl.exe is running it will continuously poll www.blockchain.info to see if a payment has been made. When it confirms that a payment was made it will download the private decryption key and save it in the C:\ProgramData\rkcl\priv.key file and then decrypt your files.
Below is the list of data files that are created by Locker and stored in C:\ProgramData\rkcl\:
data.aa0 - This file contains a list of the encrypted files.
data.aa1 - Unknown purpose
data.aa6 - The victim's unique bitcoin address
data.aa7 - An RSA key similar to:
data.aa8 - Contains the version number for the Locker graphical interface.
data.aa9 - The date the ransomware became active
data.aa11 - Unknown purpose
data.aa12 - Unknown purpose
priv.key - This file contains the private decryption key that can be used to decrypt your files. It only appears after you pay the ransom.
Below are the images of the Locker Ransomware interface:
Edited by Grinler, 28 May 2015 - 08:54 AM.