FilesLocker Ransomware Appears on Chinese Underground Forums

Delaware, USA – October 26, 2018 — Another representative has expanded the list of Ransomware-as-a-service platforms. FilesLocker Ransomware is being marketed through the Chinese underground forums hidden in Tor network. The authors offer malware for free, but every attacker who spread FilesLocker should infect at least ten victims every day and return to the developers 40% of the ransom paid. For successful cybercriminals, a discount system is provided. FilesLocker is written in C # and is capable of infecting almost all systems running Microsoft Windows. Malware does not communicate with the command-and-control server during infection, but after encrypting files, it downloads image through an IPLogger.com shortened URL, which allows attackers to keep statistics on the number of victims. FilesLocker encrypts files with RSA 2048 + AES algorithm and adds the .locked extension to them and then ransomware uses vssadmin.exe to delete all shadow copies. While creating each sample, the malware authors specify the ransom amount in bitcoins, the wallet address and contact email. Also, attackers propose to their victims to decrypt up to 3 files for free, to prove that they are able to do it. Ransome note is provided in English and Chinese.

Malware is not too advanced, but it is quite efficient in coping with its task. Distribution model attracts many rookie cybercriminals to this new ransomware platform. Experienced attackers also leverage RaaS platforms, using a new ransomware sample in each campaign. Ransomware Hunter content pack natively integrates with SIEM and leverages behavioral analysis and statistical profiling methods, OSINT feeds and strictly defined correlation rules to uncover ransomware attacks at early stages of Cyber Kill Chain: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight