This is a quick analysis of a newly discovered ransomware called File-Locker. This brief will contain technical information related to how it infects a computer, how it is distributed, and whether it can be decrypted or not.
The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim's are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back. This ransomware uses AES encryption with a static password of "dnwls07193147", so it is easily decryptable.
When encrypting a file it will append the .locked extension to the filename.
The file extensions targeted by this ransomware are:
.txt, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg, .java, .csv, .kdc, .dxg, .xlsm, .pps, .cpp, .odt, .php, .odc, .log, .exe, .cr2, .mpeg, .jpeg, .xqx, .dotx, .pps, .class, .jar, .psd, .pot, .cmd, .rtf, .csv, .php, .docm, .xlsm, .js, .wsf, .vbs, .ini, .jpeg, .gif, .7z, .dotx, .kdc, .odm, .xll, .xlt, .ps, .mpeg, .pem, .msg, .xls, .wav, .odp, .nef, .pmd, .r3d, .dll, .reg, .hwp, .7z, .p12, .pfx, .cs, .ico, .torrent, .c"
When done encrypting files, it will create a ransom note on the desktop called Warning!!!!!!.txt. This ransom note is in both Korean and English and demands 50,000 won in bitcoin as a ransom payment. Strangely, the bitcoin address given in the Korean portion is for an account siezed as part of the Silk Road takedown.
The English bitcoin address is 1BoatSLRHtKNngkdXEeobR76b53LETtpyT and has some transactions, but it is unsure if those are related to this ransomware.
It is not currently known if this ransomware is distributed or how it is distributed.
The name is taken from properties of the executable as shown below.
Yes, in its current state, the File-Locker Ransomware can be decrypted because it uses a static key that can be retrieved from the executable. If anyone becomes a victim of this ransomware, please contact us and we will see if we can create a decryptor for you.
In order to protect yourself from the File-Locker Ransomware you should use standard security practices. This includes using good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
한국어: 경고!!! 모든 문서, 사진, 데이테베이스 및 기타 중요한 파일이 암호화되었습니다!! 당신은 돈을 지불해야 합니다 비트코인 5만원을 email@example.com로 보내십시오 비트코인 지불코드: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 결제 사이트 http://www.localbitcoins.com/ English: Warning!!! All your documents, photos, databases and other important personal files were encrypted!! You have to pay for it. Send fifty thousand won to firstname.lastname@example.org Bitcoin payment code: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT Payment site http://www.localbitcoins.com/