A team of malware developers is preparing to sell a new ransomware programme that encrypts files on infected computers, according to a volunteer group of security researchers who tracked the development of the threat on underground forums in recent weeks.
The new malware is called PowerLocker and its development was most likely inspired by the success of the CryptoLocker ransomware Trojan programme that infected more than 250,000 computers since September.
Like CryptoLocker, PowerLocker allegedly uses strong encryption that prevents users from recovering files unless they pay or have backups. However, it’s also more sophisticated and potentially more dangerous because its developers reportedly intend to sell it to other cybercriminals.
Malware Must Die (MMD), a group of security researchers dedicated to fighting cybercrime, spotted a post on an underground forum at the end of November in which a malware writer announced a new ransomware project. That project, initially under the name Prison Locker, later became PowerLocker.
MMD researchers tracked the development of the threat and decided to make the information they gathered public on Friday out of concern that, if completed and released, the new ransomware programme could cause a lot of damage. The group published a blog post with screen shots of several underground forum messages describing the malware’s alleged features at various stages of completion, as well as its planned price.
Based on a progress report by the malware’s main developer – a user with the online identity “gyx” – PowerLocker consists of a single file that’s dropped in the Windows temporary folder. Once run on a computer for the first time, it begins encrypting all user files stored on local drives and network shares, except for executable and system files.
Every file is encrypted using the Blowfish algorithm with a unique key. Those keys are then encrypted with a 2048-bit RSA key that’s part of a public-private key pair unique for every computer. The computer owners will have the public keys, but won’t have the corresponding private RSA keys needed to decrypt the Blowfish keys.
This is similar to how CryptoLocker’s encryption scheme is implemented, but PowerLocker goes even further. Once the encryption stage is done, it disables the Windows and Escape keys and prevents a number of other useful utilities like taskmgr.exe, regedit.exe, cmd.exe, explorer.exe and msconfig.exe from being used.
It then uses the functionality in Windows to create a secondary desktop and displays the ransom message there. The malware checks every few milliseconds to see whether the new desktop is the active one and prevents users from switching away from it, making the Alt+Tab keyboard shortcut and applications running on the primary desktop irrelevant.
The malware is also capable of detecting whether it’s run in virtual machines, sandboxes or debugging environments, a feature designed to prevent security researchers from analysing it using their usual tools.
The advertised malware programme, if real, adds extra layers of sophistication to a family of threats that’s already difficult to combat, said Bogdan Botezatu, a senior e-threat analyst at antivirus firm Bitdefender, Monday. “From the malware’s description, it looks like its creator has blended CryptoLocker with the FBI ransomware [ransomware impersonating the FBI and other law enforcement agencies] to create a two-layer lock: the desktop lock and the file encryption.”
Another important difference between CryptoLocker and PowerLocker is that the new threat is supposed to be sold as a crimepack to other cybercriminals.
“While CryptoLocker was tailor-made for a select group of individuals, the PowerLocker as they call it is a tool that would be available for purchase, thus making any script-kiddie a potential attacker,” he said. “If it is real, we expect it to hit really hard.”
According to the underground forum messages shared by MMD, the PowerLocker author has partnered with another developer to create the malware’s command-and-control panel and the graphical user interface and is very close to completing them. The developers plan to sell the malware for US$100 in Bitcoins per initial build and $25 per rebuild.
“Besides the fact that this is a crimepack, it also adds extra features such as locking the user outside of the box, thus taking the machine out of production completely,” Botezatu said. If it goes viral, it could cause serious problems to mission critical systems like hospital computers, he said.
Botezatu expects other similar malware programmes to be developed and used this year.
“Trojans like GPcode have set the standard for commercial ransomware, while the ROI rates of the FBI Trojan and CryptoLocker have probably incentivised other cybercriminal groups into joining the ransomware pack,” he said. “Ransomware is easy money and that’s what cybercriminals are after.”
Most malware today is distributed through exploits for vulnerabilities in popular software programs like Java, Flash Player and others, so it is very important to keep all applications up-to-date to prevent infection with ransomware and other threats.
Backing up important data regularly is essential to recovering files in case of infection if users are to avoid paying money to cybercriminals. However, backups should not be stored on the same computer or on network shares to which the computer has write access, because the malware could damage the backups as well.