New 'sleeper' ransomware laid dormant on infected PCs until this week, report says

Dubbed Locker, this 'sleeper' ransomware had laid dormant on infected devices until those behind the scam activated it earlier this week.

A new strain of ransomware that had laid dormant on infected devices suddenly "woke up" at midnight on Monday, May 25, security firm KnowBe4 said in an alert issued today.

Ransomware encrypts all the files on the devices it infects and demands a ransom payment in exchange for the decryption key to give the content back to the original owner.

See also: Ransomware: Pay it or fight it?

KnowBe4 CEO Stu Sjouwerman says this new strain of malware, dubbed Locker, is "very similar to CryptoLocker," the first successful modern form of ransomware that was released in late 2013 and was thwarted last year. Locker is a "sleeper" strain of malware, meaning that victims may have unintentionally downloaded it earlier, but that their devices were not encrypted until the ransomware was activated earlier this week.

PC help site Bleeping Computer has seen hundreds of reported Locker victims worldwide already, and believes it has a large installed base, KnowBe4 said in its alert. Sjouwerman says some reports indicate that the ransomware could have originated in a "compromised MineCraft installer."

Once Locker encrypts an infected device's files, it issues a warning against users and IT professionals who might try to find another way around paying the ransom:

"Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!" the notice reads.

KnowBe4 said Locker demands a relatively small ransom payment, 0.1 bitcoin, which currently costs $23.75 (bitcoin's value fluctuates constantly, but it was at about $237.47 for one bitcoin at the time this was written). Most ransomware attacks demand about $500 payment from all victims, suggesting that Locker is designed to make it easier for more victims to pay.

The notice that Locker issues promises that it will decrypt files in exchange for payment.

"If the payment is confirmed the decryption key will be send [sic] to your computer and the Locker software will automatically start the decrypting process," the notice reads. "We have absolutely no interest in keeping your files encrypted forever."

Most ransomware campaigns stick to this promise to ensure that victims will pay the fee. Ransomware perpetrators know that if people don't receive their files in exchange for the payments, word will get out to the public and no victims of ransomware will pay in the future. In a previous interview with Network World, Sjouwerman said that in his experience, every ransomware victim who had paid the ransom received their decryption key in exchange, and in most cases they received it within an hour of sending the payment.

The reality of ransomware right now is that many of the devices infected will not have adequate backups installed, and even many of those who do back up files tend to find that the restore functions isn't working, rendering their backups useless. These victims have no recourse than to pay the ransom. In several cases, small police departments in the U.S. have had to pay the ransom to retrieve critical evidence files that were encrypted by ransomware, even after consulting with the FBI and U.S. military cybersecurity experts.


Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022