Shadowlock ransom Trojan demands victims fill in survey for unlock key

Plays Close Encounters of the Third Kind

Symantec has discovered a bizarre ransom Trojan that eschews the usual demand for payment in favour of asking its victims to fill in an online survey to get an unlock code.

Given the name 'Shadowlock' by the security firm, the underlying engineering of the Trojan is much the same as any one of the numerous other examples of ransomware.

Infected Windows PCs display a dialogue box asking for the unlock code and the hint that they can find it after visiting a website linking to a list of different prize surveys or by downloading unnecessary software such as a media player.

The box won't clear until the survey code has been entered, and can;t be closed using the task manager; attempts to delve into matters using the command prompt, PowerShell, Regedit, or MSConfig are also denied as is the ability to bypass it by invoking a restore point.

Entering the code incorrectly three times, or just attempting to close the dialogue, causes the system to shut down. Upon a reboot the same dialogue reappears after 20 seconds, the length of time the users have to try and shut it down using the Task Manager.

Shadowlock can also nix browsers and certain system tools as well as consume free resources and disable the Windows firewall.

Built using .NET, Symantec was able to decompile it well enough to discover some of its more eccentric secrets, including an 'Easter egg', a hidden routine that plays a the five-note theme from the 1976 alien abduction film Close Encounters of the Third Kind.

Other abilities include being able to reverse mouse buttons and open the CD tray or open Windows utilities.

"It turns out the malware author has a sense of humor," wrote Symantec researcher, Fred Gutierrez in his blog on Shadowlock.

He speculates that the survey tactic might be an experiment to see much response it gets, or perhaps part of a genuine money-making scheme.

"These functions (as well as others) may find themselves being used in a future variant."

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal Techsymantecsecurity

More about BuiltFredSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place