# Stop Malvertising **[stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html](http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html)** Introduction to the ZeroLocker ransomware [Written by Kimberly on Sunday, 31 August 2014. Posted in Malware Reports Viewed](https://stopmalvertising.com/malware-reports/) 43290 times A new ransomware called ZeroLocker has surfaced. The files are encrypted with AES (*) encryption. Currently the threat is considered as the most destructive ransomware we have seen to date. ZeroLocker does not only target data files; it encrypts ALL files on the hard drive, including executables, with AES encryption unless they are located in certain folders or larger than 20 MegaBytes. The folders exempt from encryption are the ones containing the following keywords: Windows, WINDOWS, Program Files, ZeroLocker and Desktop. Encrypted files will have .encrypted appended to their filename. ZeroLocker performs several outbound connections to 5.199.171.47, a VPs located in Skri Lanka. When the threat has finished encrypting the files, it will run the C:\WINDOWS\SYSTEM32\CIPHER.EXE /W:C:\ command in order to overwrite all deleted data on the hard drive. Doing so makes it impossible to use recovery tools to restore files. The main issue with ZeroLocker resides in the fact that when it uploads the decryption key to the server, the C2 returns a 404 not found because the requested page doesn’t exist on the server. Therefore the key isn’t stored in any database or file for later recovery. The only way to recover the key would be to manually filter through the HTTP access logs if they still exist. ----- This coding mistake on behalf of the developer essentially renders the encrypted computer completely useless as the victim is unable to retrieve the decryption key even after paying the ransom. ZeroLocker is considered as very destructive especially for companies that have custom software installed under normal paths. Currently the infection doesn’t delete the Windows System Restore points so files can be restored using a program like Shadow Explorer or Windows built-in Previous Version. This could change at any stage of course. Payment is only accepted in Bitcoins. The initial ransom is $300, after 5 days the price will increase to $600 and after 10 days the victim will have to pay $1000. **_Source:_** _[Bleeping Computer](http://www.bleepingcomputer.com/forums/t/544555/zerolocker-a-new-destructive-encrypting-ransomware/)_ [The first instance of ZeroLocker was discovered on a French forum assisting people with](http://www.commentcamarche.net/forum/affich-30620502-zerolocker-recuperer-mes-fichiers-cryptes-par-un-ransomware) malware removal on August 8, 2014. **ZeroLocker** Overview of functions. [The author didn't use AES encryption but used the RijndaelManaged class from the](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) .NET Framework. ----- ----- The random number generator is seeded Envionment.TickCount, a 32-bit signed integer containing the amount of time in milliseconds that has passed since the last time the computer was started. The strength of the password is less than 32-bit. ----- Upon execution the threat will: ----- 1. Create a folder called C:\ZeroLocker 2. Perform the following outbound connection and save the binary as C:\ZeroLocker\ZERORESCUE.EXE GET /patriote/sansviolence 3. A corresponding registry entry is created so that ZERORESCUE.EXE runs each time the computer starts. 4. Retrieve the Bitcoin address used to pay the ransom and save it as C:\ZeroLocker\ADDRESS.DAT GET /zConfig/171386 1CkwfDadjXPhp3XrUU5J8hQhUtbecH7t1N 5. Upload the decryption key to the server. The request returns a 404. GET /zImprimer/[ID based upon MAC-ADDRESS]-[PASSWORD]-[BITCOIN ADDRESS] 6. Encrypt the files on the hard drive. For each encrypted file the original file is deleted. 7. Perform the following outbound connection and save the response as C:\ZeroLocker\LOG.DAT GET /enc/1 8. Launch an instance of C:\WINDOWS\SYSTEM32\CIPHER.EXE with the following command line parameters: cipher.exe" /w:c:\ ----- 9. Reboot the compromised computer using the following command: c:\windows\system32\shutdown.exe" /r /t 0 /f 10. Upon reboot the ransomware notice is displayed via C:\ZeroLocker\ZERORESCUE.EXE. Clicking the "Decrypt Files" button opens an internet connection with the VPS. Unfortunately the request returns a 404 rendering decryption impossible even after paying the ransom. A message informs the victim that the payment hasn’t been received or processed yet and to try again later as it takes up to 24h to activate the key. GET /[ID based upon MAC-ADDRESS]/key ----- Global overview. ----- ID based upon MAC ADDRESS ----- **Samples Analysed** At the time of the analysis on August 18, 2014 we were aware of the following MD5 hashes: [bd0a3c308a6d3372817a474b7c653097: TimeDateStamp: Tue Aug 05 14:27:06](https://www.virustotal.com/en/file/d4c62215df74753371db33a19a69fccdc4b375c893a4b7f8b30172710fbd4cfa/analysis/) 2014 [3772a3deeb781803a907ed36ee10681d: TimeDateStamp: Wed Aug 06 11:01:48](https://www.virustotal.com/en/file/e292cbe7ddbc036009d7ef0deaab49d12005c9267e12a338bbba7782925ef1a6/analysis/) 2014 Both samples contain the following compile leftovers: c:\users\george\desktop\projects\zerolocker\testing stuff\testing stuff\obj\debug\task manager.pdb [The actor behind ZeroLocker is also associated with several Bitcoin Miners.](https://www.virustotal.com/en/ip-address/5.199.171.47/information/) Tags: [AES](https://stopmalvertising.com/tag/aes.html) [Ransomware](https://stopmalvertising.com/tag/ransomware.html) [RijndaelManaged](https://stopmalvertising.com/tag/rijndaelmanaged.html) [ZeroLocker](https://stopmalvertising.com/tag/zerolocker.html) [If our research has helped you, please consider making a donation through PayPal.](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=4SV5GCQMUP2RL) ## Related Articles ----- [Cryptowall: Behind The Scenes](https://stopmalvertising.com/malware-reports/cryptowall-behind-the-scenes.html) Earlier this week we intercepted several unsolicited emails with the subject line "Voice Mail". The electronic message informs the recipient that "Bluescope" left a 1:06 minutes long message. The voicemail message has been attached to the email... [Analysis of the PHP.net Compromise](https://stopmalvertising.com/malware-reports/analysis-of-the-php.net-compromise.html) On Thursday 24th October 2013 PHP.net was flagged by Google SafeBrowsing as being malicious. PHP.net released a first statement, followed by an update. Barracuda Labs released a pcap on the attack. An analysis of their their network capture... [Fake Java 7 Update 11 installs ransomware](https://stopmalvertising.com/malware-reports/fake-java-7-update-11-installs-ransomware.html) On January 14, 2013 Oracle released an official update to address the latest Java 0-day CVE-2013-0422 and CVE-2012-3174. In meanwhile it has been brought to our attention yesterday that cybercriminals decided to take advantage of the... [Copyright Violation Fake Alert](https://stopmalvertising.com/news/copyright-violation-fake-alert.html) Important News S!Ri.URZ has published a Registration Code which helps to clean the computer if you have been hit by this fake Copyright Violation alert / ransomware pushed onto computers by the ICPP Foundation -... [ICPP Foundation - icpp-online.com](https://stopmalvertising.com/spam-scams/icpp-foundation-icpp-online.com.html) Yesterday a new type of ransomware has been discovered. This time P2P users have been targetted with a fake Copyright Infringement Notice from the bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: This e-mail address is being protected from spambots. You need JavaScript enabled to view it ). You can... -----