KnowBe4 Alert: New Strain of Sleeper Ransomware

Share Article

A new dormant strain of "sleeper" ransomware has awoken and is causing a surge of trouble.

New sleeper ransomware runs rampant

Sleeper ransomware info screen

It appears we have a new player in Ransomware City, and this looks like an 800 pound gorilla very similar to CryptoLocker. -- Stu Sjouwerman, CEO KnowBe4

KnowBe4 CEO Stu Sjouwerman issued an alert to IT managers that there is a new strain of dangerous ransomware infecting employee's workstations called Locker. The ransomware has infected workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way. Since the strain reared its ugly head, Reddit has been swarmed with hundreds of 600 comments in the first 24 hours.

According to Sjouwerman, “It appears we have a new player in Ransomware City, and this looks like an 800 pound gorilla very similar to CryptoLocker. It appears the infection vector is exploit kits but there are rumors of a compromised MineCraft installer. Reports on the Locker ransomware have exploded worldwide.”

Bleepingcomputer has received 100s of emails from consultants all over the world. Based on their experience with cryptoware, they estimated this strain has a large "installed" base, which does not bode well for IT managers.

Here is what Locker does:

  • A series of Windows services are used to install Locker on the computer and encrypt data files.
  • During the install process, Locker will check if the computer is virtual machine and terminate if detected.
  • Encrypts data files with RSA encryption, and does not change the file extension.
  • After the encryption it deletes c:\ shadow volume copies and displays its ransom interface.
  • If backups failed and one is forced to pay the ransom, once payment has been confirmed the ransomware will download the private key and automatically decrypt the encrypted files.

The types of files encrypted are: .doc, .docx, .xlsx, .ppt, .wmdb, .ai, .jpg, .psd, .nef, .odf, .raw, .pem, .rtf, .raf, .dbf, .header, .wmdb, .odb, .dbf, and again, Locker does not change the file extension so users will get error messages from their applications that the file is corrupted.

The ransomware screen includes a scary message stating: "Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!" This is just to force someone into paying.

Sjouwerman recommends:

“1. Hope your backup works. Without knowing when the ransomware was installed, it is hard to determine yet how far to go back.
2. Patch early and patch often.
3. Don’t click on ads. Many new strains of malware are being carried through malvertizing where ads are placed on valid sites but redirect the clicker to a bad site that delivers the payload.
4. And as always, stepping employees through effective security awareness training is a must these days."

For more information visit: http://www.KnowBe4.com

About Stu Sjouwerman and KnowBe4
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. KnowBe4 services over 1,200 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance and is experiencing explosive yearly growth of 300%. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”

About Kevin Mitnick
Kevin Mitnick, ‘the World’s Most Famous Hacker’, is an internationally recognized computer security expert with extensive experience in exposing the vulnerabilities of complex operating systems and telecom devices. He gained notoriety as a highly skilled hacker who penetrated some of the most resilient computer systems ever developed. Today, Mitnick is renowned as an information security consultant and keynote speaker and has authored four books, including The New York Times best seller Ghost in the Wires. His latest endeavor is a collaboration with KnowBe4, LLC as its Chief Hacking Officer.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Kathy Wattman
KnowBe4, LLC
+1 (727) 474-9950
Email >
Visit website