This is a quick analysis of a newly discovered ransomware called File-Locker. This brief will contain technical information related to how it infects a computer, how it is distributed, and whether it can be decrypted or not.

File-Locker Summary

The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim's are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back.  This ransomware uses AES encryption with a static password of "dnwls07193147", so it is easily decryptable.

Static Password
Static Password

When encrypting a file it will append the .locked extension to the filename.

Encrypted Folder
Encrypted Folder

The file extensions targeted by this ransomware are:

.txt, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg, .java, .csv, .kdc, .dxg, .xlsm, .pps, .cpp, .odt, .php, .odc, .log, .exe, .cr2, .mpeg, .jpeg, .xqx, .dotx, .pps, .class, .jar, .psd, .pot, .cmd, .rtf, .csv, .php, .docm, .xlsm, .js, .wsf, .vbs, .ini, .jpeg, .gif, .7z, .dotx, .kdc, .odm, .xll, .xlt, .ps, .mpeg, .pem, .msg, .xls, .wav, .odp, .nef, .pmd, .r3d, .dll, .reg, .hwp, .7z, .p12, .pfx, .cs, .ico, .torrent, .c"

When done encrypting files, it will create a ransom note on the desktop called Warning!!!!!!.txt.  This ransom note is in both Korean and English and demands 50,000 won in bitcoin as a ransom payment. Strangely, the bitcoin address given in the Korean portion is for an account siezed as part of the Silk Road takedown.

The English bitcoin address is 1BoatSLRHtKNngkdXEeobR76b53LETtpyT and has some transactions, but it is unsure if those are related to this ransomware.

File-Locker Ransomware Wallpaper
File-Locker Ransomware Wallpaper

Method of Distribution

It is not currently known if this ransomware is distributed or how it is distributed.

Origin of Name

The name is taken from properties of the executable as shown below.

File-Locker File Properties
File-Locker File Properties

Is File-Locker Decryptable?

Yes, in its current state, the File-Locker Ransomware can be decrypted because it uses a static key that can be retrieved from the executable. If anyone becomes a victim of this ransomware, please contact us and we will see if we can create a decryptor for you.

How to protect yourself from the File-Locker Ransomware

In order to protect yourself from the File-Locker Ransomware you should use standard security practices. This includes using good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

New SamSam Variant Requires Special Password Before Infection

DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks

The Week in Ransomware - June 15th 2018 - DBGer, Scarab, and More

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware

IOCs

File-Locker Hashes:

SHA256: b6b5e455c4ebe875907aa185988c2eb654ed373dc0e6b712a391069d63dc5c3f

File-Locker Files:

Warning!!!!!!.txt

File-Locker Registry Keys:

None

File-Locker Ransom Note:

한국어: 경고!!! 모든 문서, 사진, 데이테베이스 및 기타 중요한 파일이 암호화되었습니다!!
당신은 돈을 지불해야 합니다
비트코인 5만원을 fasfry2323@naver.com로 보내십시오 비트코인 지불코드: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX  결제 사이트 http://www.localbitcoins.com/ 
English: Warning!!! All your documents, photos, databases and other important personal files were encrypted!!
You have to pay for it.
Send fifty thousand won to fasfry2323@naver.com Bitcoin payment code: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Payment site http://www.localbitcoins.com/

File-Locker Network Connections:

None