Sleeper Ransomware Breaks Out In May To Harass Small Busiesses

A new dormant strain of "sleeper" ransomware has awoken and is causing a surge of trouble

KnowBe4 CEO Stu Sjouwerman issued an alert to IT managers that there is a new strain of dangerous ransomware infecting employee's workstations called Locker. The ransomware

 has infected workstations but sat there silently until midnight May 25, 2015 when it woke up. Locker then started to wreak havoc in a massive way. Since the strain reared its ugly head, Reddit has been swarmed with hundreds of 600 comments in the first 24 hours.

According to Sjouwerman, “It appears we have a new player in Ransomware City, and this looks like an 800 pound gorilla very similar to CryptoLocker. It appears the infection vector is exploit kits but there are rumors of a compromised MineCraft installer. Reports on the Locker ransomware have exploded worldwide.”

Bleepingcomputer has received 100s of emails from consultants all over the world. Based on their experience with cryptoware, they estimated this strain has a large "installed" base, which does not bode well for IT managers.

Here is what Locker does:

* A series of Windows services are used to install Locker on the computer and encrypt data files.

* During the install process, Locker will check if the computer is virtual machine and terminate if detected.

* Encrypts data files with RSA encryption, and does not change the file extension.

* After the encryption it deletes your c:\ shadow volume copies and displays its ransom interface.

* If your backups failed and you are forced to pay the ransom, once payment has been confirmed the ransomware will download the private key and automatically decrypt your files.

The types of files encrypted are: .doc, .docx, .xlsx, .ppt, .wmdb, .ai, .jpg, .psd, .nef, .odf, .raw, .pem, .rtf, .raf, .dbf, .header, .wmdb, .odb, .dbf, and again, Locker does not change the file extension so your users will get error messages from their applications that the file is corrupted.

The ransomware screen includes a scary message stating: "Warning any attempt to remove damage or even investigate the Locker software will lead to immediate destruction of your private key on our server!"  This is just to force you into paying.

Sjouerman recommends:

1. Hope your backup works. Without knowing when the ransomware was installed, it is hard to determine yet how far to go back.

2. Patch early and patch often.

3. Don’t click on ads. Many new strains of malware are being carried through malvertizing where ads are placed on valid sites but redirect the clicker to a bad site that delivers the payload.

4.And as always, stepping employees through effective security awareness training is a must these days.

For more information visit:

Additional links:

More on CryptoLocker:  or