Skip Links

Cybercrooks developing dangerous new file-encrypting ransomware, researchers warn

The new threat might be even more difficult to remove than CryptoLocker, which plagued users in recent months

By Lucian Constantin, IDG News Service
January 06, 2014 02:36 PM ET

IDG News Service - A team of malware developers is preparing to sell a new ransomware program that encrypts files on infected computers and asks victims for money to recover them, according to a volunteer group of security researchers who tracked the development of the threat on underground forums in recent weeks.

The new malware is called PowerLocker and its development was most likely inspired by the success of the CryptoLocker ransomware Trojan program that infected more than 250,000 computers since September.

Like CryptoLocker, PowerLocker allegedly uses strong encryption that prevents users from recovering files unless they pay or have backups. However, it's also more sophisticated and potentially more dangerous because its developers reportedly intend to sell it to other cybercriminals.

Malware Must Die (MMD), a group of security researchers dedicated to fighting cybercrime, spotted a post on an underground forum at the end of November in which a malware writer announced a new ransomware project. That project, initially under the name Prison Locker, later became PowerLocker.

MMD researchers tracked the development of the threat and decided to make the information they gathered public on Friday out of concern that, if completed and released, the new ransomware program could cause a lot of damage. The group published a blog post with screen shots of several underground forum messages describing the malware's alleged features at various stages of completion, as well as its planned price.

Based on a progress report by the malware's main developer -- a user with the online identity "gyx" -- PowerLocker consists of a single file that's dropped in the Windows temporary folder. Once run on a computer for the first time, it begins encrypting all user files stored on local drives and network shares, except for executable and system files.

Every file is encrypted using the Blowfish algorithm with a unique key. Those keys are then encrypted with a 2048-bit RSA key that's part of a public-private key pair unique for every computer. The computer owners will have the public keys, but won't have the corresponding private RSA keys needed to decrypt the Blowfish keys.

This is similar to how CryptoLocker's encryption scheme is implemented, but PowerLocker goes even further. Once the encryption stage is done, it disables the Windows and Escape keys and prevents a number of other useful utilities like taskmgr.exe, regedit.exe, cmd.exe, explorer.exe and msconfig.exe from being used.

It then uses the functionality in Windows to create a secondary desktop and displays the ransom message there. The malware checks every few milliseconds to see whether the new desktop is the active one and prevents users from switching away from it, making the Alt+Tab keyboard shortcut and applications running on the primary desktop irrelevant.

The malware is also capable of detecting whether it's run in virtual machines, sandboxes or debugging environments, a feature designed to prevent security researchers from analyzing it using their usual tools.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News