Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

PrisonLocker Ransomware an ‘Evolution’ From CryptoLocker

Security researchers with Malware Must Die have been tracking a sophisticated new piece of ransomware that may soon be ready to be released into the wild.

Security researchers with Malware Must Die have been tracking a sophisticated new piece of ransomware that may soon be ready to be released into the wild.

Originally called PrisonLocker but also known as PowerLocker, the malware has been apparently under development for several months and has been promoted in various hacker forums as well as publicly on Pastebin. Written in C/C++, the malware’s author says that it will encrypt virtually every file on infected machines – except .exe, .sys, .dll and other system files – via Blowfish. The uniquely generated Blowfish key is then encrypted with RSA-2048 encryption. The ransomware also encrypts files on shared drives, and detects virtual machine, debugger and sandbox environments.

“You can either approve or deny (resetting the removal clock duration, specified by you during purchase) a payment code, and then unlock/decrypt files on the PC (identified by IP),” according to an announcement of the malware posted on Pastebin.

Calling the malware a natural evolution from CryptoLocker, Bit9 CTO Harry Sverdlove said that he expects more ransomware to be on the horizon in 2014.

“Based on the successes and failures of its predecessors, PrisonLocker appears to use more efficient methods of deterring security analysts and threat researchers, such as virtual machine/sandbox detection and more comprehensive disabling of user interaction,” he said. “The techniques used by these types of ransomware attacks are well documented and not necessarily advanced, but they are unfortunately very effective.”

The malware author claims to be willing to sell the malware for about $100 per license. In an ironic twist, Malware Must Die said they were able to tie the malware’s author to a Twitter account @Wenhsl and the security blog Wenhsl[dot]blogspot.com. In the Twitter profile, the user describes himself as an “infosec/malware researcher.”

Andrew Meyer, vice president of intelligence services at CrowdStrike, speculated that the person may have a foot in two worlds – the white hat world and the black hat world.

“He’s probably seeing that being a legitimate security researcher was not as financially-motivating or beneficial as he hoped it might have been, so maybe he’s starting to look into other options,” he said.

He added that posting details of the malware to a public forum was not a smart idea.

“This is not somebody…I would say was maybe as good a criminal as he was a coder perhaps because his operational security was just terrible,” he said.

Malware Must Die urged law enforcement to take a look at the information that has been gathered on the case and the suspect.

“Most malware authors are no different than everyone else – they follow trends that have proven to be successful,” said Sverdlove. “CryptoLocker has garnered a lot of press lately and has been very lucrative for the criminals. That’s a two-for-one win: the attackers get both money and glory, appealing to both criminals and hackers alike. It is inevitable that copycats and variants will follow. CryptoLocker has shown everyone how effective and profitable [ransomware] can be without much effort.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...