This is a new strain of ransomware that lies dormant on infected computers until malware operators decide to unleash it upon unsuspecting victims.  This malware uses a sleeper function.  It infects the maximum number of machines and then activates when no one expects it.

Due to the increased number of users reporting infections, it is possible that many victims were infected for months before the malware was activated.  Security firm KnowBe4 estimate that victims were infected for two or three months and were unaware of it.

The malware employs RSA encryption to lock the users’ files and demand that ransom be paid with 0.1 Bitcoins (see Definition) so that victims can retrieve their data.

Though different attacks have displayed different warning messages with varying versions of the ransomware, the version numbers does not have any significance to the infection.  The bottom line is if you are infected, your data is encrypted.

Take note that this malware or variants will attempt to delete all shadow copies when you run any executables on your computer after becoming infected.  Fortunately, the infection is not always able to remove the shadow copies and you may try to restore some of the files with this method.

When you have System Restore (see Definition) enabled on your computer, Windows creates shadow copy snapshots that contain copies of your file from the point of time when the system restore was created.  This will allow you to restore your files before they were encrypted.  A point to note is that this is not a fool proof method and though the files may not be encrypted, they may not be the latest version of the files.

Note: Shadow copies, also called Shadow Volume Copies are only available in Windows XP Service Pack 2, Windows Vista, and Windows 7 and 8.

Locker malware is said to target a number of file types that include .doc, .docx, .ppt, .header and .rtf files. If it detects the use of virtual machine environment, the malware will terminate.

The ransomware is spread through exploit kits and compromised Minecraft installers downloaded by gamers. It is a matter of time before the malware is delivered by phishing attacks.

 

Recommendation

1. Back up data (highly recommended).
2. Install patch updates as soon as they are available.
3. Avoid clicking on ads because malware are sometimes spread through malvertising.
4. Engage employees in security awareness training.

 

Definition

1. Bitcoin – an online payment system. It is sometimes referred to as a virtual currency or a crypto-currency, which can be sent over the internet.
2. System Restore – a feature in Microsoft Windows that allows users to restore their computers to a previous state without losing personal data files. It automatically creates restore points, which you can revert your system to the way it was at a previous time.

 

Source

1. SC Magazine.
2. Bleeping Computer.
3. Kaspersky blog (image on pg 1)