Cybercrooks developing dangerous new file-encrypting ransomware, researchers warn

The new threat might be even more difficult to remove than CryptoLocker, which plagued users in recent months

A team of malware developers is preparing to sell a new ransomware program that encrypts files on infected computers and asks victims for money to recover them, according to a volunteer group of security researchers who tracked the development of the threat on underground forums in recent weeks.

The new malware is called PowerLocker and its development was most likely inspired by the success of the CryptoLocker ransomware Trojan program that infected more than 250,000 computers since September.

Like CryptoLocker, PowerLocker allegedly uses strong encryption that cannot be cracked to recover the files without paying, but it's also more sophisticated and potentially more dangerous because its developers reportedly intend to sell it to other cybercriminals.

Like CryptoLocker, PowerLocker allegedly uses strong encryption that prevents users from recovering files unless they pay or have backups. However, it's also more sophisticated and potentially more dangerous because its developers reportedly intend to sell it to other cybercriminals.

Malware Must Die (MMD), a group of security researchers dedicated to fighting cybercrime, spotted a post on an underground forum at the end of November in which a malware writer announced a new ransomware project. That project, initially under the name Prison Locker, later became PowerLocker.

MMD researchers tracked the development of the threat and decided to make the information they gathered public on Friday out of concern that, if completed and released, the new ransomware program could cause a lot of damage. The group published a blog post with screen shots of several underground forum messages describing the malware's alleged features at various stages of completion, as well as its planned price.

Based on a progress report by the malware's main developer -- a user with the online identity "gyx" -- PowerLocker consists of a single file that's dropped in the Windows temporary folder. Once run on a computer for the first time, it begins encrypting all user files stored on local drives and network shares, except for executable and system files.

Every file is encrypted using the Blowfish algorithm with a unique key. Those keys are then encrypted with a 2048-bit RSA key that's part of a public-private key pair unique for every computer. The computer owners will have the public keys, but won't have the corresponding private RSA keys needed to decrypt the Blowfish keys.

This is similar to how CryptoLocker's encryption scheme is implemented, but PowerLocker goes even further. Once the encryption stage is done, it disables the Windows and Escape keys and prevents a number of other useful utilities like taskmgr.exe, regedit.exe, cmd.exe, explorer.exe and msconfig.exe from being used.

It then uses the functionality in Windows to create a secondary desktop and displays the ransom message there. The malware checks every few milliseconds to see whether the new desktop is the active one and prevents users from switching away from it, making the Alt+Tab keyboard shortcut and applications running on the primary desktop irrelevant.

The malware is also capable of detecting whether it's run in virtual machines, sandboxes or debugging environments, a feature designed to prevent security researchers from analyzing it using their usual tools.

The advertised malware program, if real, definitely adds extra layers of sophistication to a family of threats that's already difficult to combat, said Bogdan Botezatu, a senior e-threat analyst at antivirus firm Bitdefender, Monday via email. "From the malware's description, it looks like its creator has blended CryptoLocker with the FBI ransomware [ransomware impersonating the FBI and other law enforcement agencies] to create a two-layer lock: the desktop lock and the file encryption."

Another important difference between CryptoLocker and PowerLocker is that the new threat is supposed to be sold as a crimepack to other cybercriminals.

"While CryptoLocker was tailor-made for a select group of individuals, the PowerLocker as they call it is a tool that would be available for purchase, thus making any script-kiddie a potential attacker," he said. "If it is real, we expect it to hit really hard."

According to the underground forum messages shared by MMD, the PowerLocker author has partnered with another developer to create the malware's command-and-control panel and the graphical user interface and is very close to completing them. The developers plan to sell the malware for US$100 in Bitcoins per initial build and $25 per rebuild, which is a very accessible price for cybercriminals.

"Besides the fact that this is a crimepack, it also adds extra features such as locking the user outside of the box, thus taking the machine out of production completely," Botezatu said. If it goes viral, it could cause serious problems to mission critical systems like hospital computers, he said.

Botezatu expects other similar malware programs to be developed and used this year.

"Trojans like GPcode have set the standard for commercial ransomware, while the ROI [return on investment] rates of the FBI Trojan and CryptoLocker have probably incentivized other cybercriminal groups into joining the ransomware pack," he said. "Ransomware is easy money and that's what cybercriminals are after."

Most malware today is distributed through exploits for vulnerabilities in popular software programs like Java, Flash Player and others, so it is very important to keep all applications up-to-date to prevent infection with ransomware and other threats.

Backing up important data regularly is essential to recovering files in case of infection if users are to avoid paying money to cybercriminals. However, backups should not be stored on the same computer or on network shares to which the computer has write access, because the malware could damage the backups as well.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityDesktop securityencryptionMalware Must Diedata protectionmalwarebitdefender

More about FBIRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts