Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PrisonLocker Ransomware an ‘Evolution’ From CryptoLocker

Security researchers with Malware Must Die have been tracking a sophisticated new piece of ransomware that may soon be ready to be released into the wild.

Security researchers with Malware Must Die have been tracking a sophisticated new piece of ransomware that may soon be ready to be released into the wild.

Originally called PrisonLocker but also known as PowerLocker, the malware has been apparently under development for several months and has been promoted in various hacker forums as well as publicly on Pastebin. Written in C/C++, the malware’s author says that it will encrypt virtually every file on infected machines – except .exe, .sys, .dll and other system files – via Blowfish. The uniquely generated Blowfish key is then encrypted with RSA-2048 encryption. The ransomware also encrypts files on shared drives, and detects virtual machine, debugger and sandbox environments.

“You can either approve or deny (resetting the removal clock duration, specified by you during purchase) a payment code, and then unlock/decrypt files on the PC (identified by IP),” according to an announcement of the malware posted on Pastebin.

Calling the malware a natural evolution from CryptoLocker, Bit9 CTO Harry Sverdlove said that he expects more ransomware to be on the horizon in 2014.

“Based on the successes and failures of its predecessors, PrisonLocker appears to use more efficient methods of deterring security analysts and threat researchers, such as virtual machine/sandbox detection and more comprehensive disabling of user interaction,” he said. “The techniques used by these types of ransomware attacks are well documented and not necessarily advanced, but they are unfortunately very effective.”

The malware author claims to be willing to sell the malware for about $100 per license. In an ironic twist, Malware Must Die said they were able to tie the malware’s author to a Twitter account @Wenhsl and the security blog Wenhsl[dot]blogspot.com. In the Twitter profile, the user describes himself as an “infosec/malware researcher.”

Andrew Meyer, vice president of intelligence services at CrowdStrike, speculated that the person may have a foot in two worlds – the white hat world and the black hat world.

“He’s probably seeing that being a legitimate security researcher was not as financially-motivating or beneficial as he hoped it might have been, so maybe he’s starting to look into other options,” he said.

He added that posting details of the malware to a public forum was not a smart idea.

“This is not somebody…I would say was maybe as good a criminal as he was a coder perhaps because his operational security was just terrible,” he said.

Malware Must Die urged law enforcement to take a look at the information that has been gathered on the case and the suspect.

“Most malware authors are no different than everyone else – they follow trends that have proven to be successful,” said Sverdlove. “CryptoLocker has garnered a lot of press lately and has been very lucrative for the criminals. That’s a two-for-one win: the attackers get both money and glory, appealing to both criminals and hackers alike. It is inevitable that copycats and variants will follow. CryptoLocker has shown everyone how effective and profitable [ransomware] can be without much effort.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.