Today, on Christmas Eve, G Data malware analyst Karsten Hahn has come across a new ransomware family named DeriaLock, which locks your screen and requests a payment of $30.
Ransomware families generally fall in one of two categories: screen lockers (which prevent access to your computer but leave your files alone) and crypto lockers (which allow you to use your computer but encrypt all your files).
DeriaLock is from the first category, of ransomware families that lock your screen and prevent users from accessing their files or applications but leaving the data intact.
Discovered today after an anonymous user has uploaded a copy of the ransomware's binary on VirusTotal, there's no information on how the ransomware currently spreads.
Once launched into execution, DeriaLock will take the computer's MachineName identifier and generate an MD5 hash. Since malware authors often infect themselves by accident, the DeriaLock source code includes a hard-coded MD5 hash, for which the screen locker won't start. This MD5, seen below, most likely belongs to DeriaLock's author.
After checking the MD5 locally, the ransomware then contacts its command and control (C&C) server and retrieves the most current version of itself, saving the file at:
DeriaLock will then run this file, which now passes all checks and starts the screen-locking behavior by showing a fullscreen window with the following ransom note:
The HWID displayed in the ransom note is the same MD5 hash generated previously.
The screen locker window also includes two buttons that when clicked, provide translations of the ransom note in German and Spanish. Only the German translation button works.
According to Hahn, there was no trace of any Spanish text inside the ransomware's source code, which is the reason why the Spanish translation doesn't show anything.
Below is an image of what happens when users press the German translation button.
Both the English and German ransom notes are full of spelling errors.
In order to keep users from closing the screen-locking window, DeriaLock will search and kill the following processes:
Additionally, if users press the ALT + F4 keyboard shortcut to close the screen locker, a popup appears that reads: "I think that is a bad decision. Nice try mate =)"
If the victim wants to pay the ransom, he must take the HWID, contact the DeriaLock author via Skype, and send the crook $30 through an unknown payment method.
The DeriaLock operator takes this HWID and places it on his server in the form of a text file named: http://server-address/[full_MD5_hash].txt
The content of this file is the DeriaLock unlock code. When the victim's infected computer will query the C&C server the next time, it will discover this file, determine that the victim has paid, take the code and unlock the user's computer, as shown from the code snippet below.
At the time of writing, Hahn says that the DeriaLock servers are still up and running, meaning the threat is currently being distributed to unsuspecting victims.
Furthermore, Hahn has also discovered that during its regular C&C server query routine, DeriaLock also checks the server for the presence of a special text file.
Based on the file's name (unlock-everybody.txt), we presume that this is a method of removing the screen locker from all infected computers at once.
Hahn tells Bleeping Computer that this file holds the value "0", which means that if the author updates this file to "1", he'll unlock all victims. Let's hope the DeriaLock author feels generous tomorrow morning on Christmas Day.
The good news is that DeriaLock requires the .NET Framework 4.5 to be installed, which means it won't work on Windows XP machines.
UPDATE 1 [December 26, 2016]: Hahn spotted today versions of DeriaLock that encrypt users' files and add the .deria file extension at the end.
UPDATE 2 [December 26, 2016]: Michael Gillespie told Bleeping Computer that he found a way to recover files encrypted by the recent DeriaLock version that appends the .deria extension at the end of files. Victims should reach out to him via his Bleeping Computer profile or Twitter account.
UPDATE 3 [December 27, 2016]: Hahn detected a new DeriaLock version that threatens to delete a users' files if he doesn't pay the ransom and restarts his computer. The DeriaLock decrypter created by Gillespie still works.