ColdLock Ransomware

The ColdLock Ransomware is a file-locking Trojan with strong similarities to the free 'educational' EDA2 project. The ColdLock Ransomware can lock the user's files from opening and hold them for a ransom and is most likely of infecting systems in narrowly-distributed, targeted attacks. Users should monitor possible vulnerabilities in their networks, such as password choices, and always have anti-malware products to isolate or remove the ColdLock Ransomware on detection.

An Unexpected Surge of Freezing Weather for Your Server's Data

As a file-locking Trojan family's whose propagation is under tight control, the Freezing Ransomware contrasts with the more random and opportunity-based models of the usual Ransomware-as-a-Services. However, it's sufficiently profitable that a threat actor is taking a gamble on updating it for attacks against Taiwanese business entities. The new version, the ColdLock Ransomware, also shows some code similarities to the free EDA2, although it's far from a simple clone.

Current ColdLock Ransomware attacks, albeit definite for May of 2020 as taking place in Taiwan, still are using unidentifiable infection methods. Since reports are confirming that the threat actor installs the Trojan after gaining direct access to Active Directories, it's possible that the attackers are brute-forcing passwords or using additional threats for acquiring login credentials. Some of the ColdLock Ransomware initial setups suggest connections to the Freezing Ransomware family, such as the use of reflective DLL loading, and the Trojan also has code in common with EDA2.

The file-locking aspect of the ColdLock Ransomware uses a pedestrian, but secure, AES and RSA combination for encryption, and flags every encrypted file with its 'locked' extension. However, malware researchers find that the ColdLock Ransomware means of choosing the media operates on an unusually complex series of metrics. The Trojan takes into account the directories, formats, the number of files in each location, the last data-write time, and blacklisted strings like 'cache' and 'microsoft.' It also excludes some media types that most file-locker Trojans would ransom, such as GIF pictures, AVI movies and MP3 audio.

Warming Up from a Not-So-Little Data Chill

Victims of the ColdLock Ransomware attacks have, as informed by the multiple text messages from the Trojan, less than a week for considering paying for an unlocker. Paying doesn't promise any definitive solution, but for businesses without appropriate backups, it could be the only solution for even a possibility of full data recovery. Malware researchers also rate the odds of decrypting the ColdLock Ransomware's encryption routine through third-party research as being very unlikely, even in cases where full samples are available.

Users should protect themselves through maintaining strong passwords against brute-forcing, disabling or securing RDP, and, as always, backing up all valuable files thoroughly. Software patches may or may not be pertinent for preventing ColdLock Ransomware infections. On the other hand, they are highly helpful for blocking similar, file-locker Trojans, which can use vulnerabilities inside of documents and spreadsheets or Exploit Kits on the Web.

Taiwan-based business entities should be on the lookout for phishing attacks and other network intrusions, including ones targeting their employees via well-crafted and specialized lures narrowly. Anti-malware products with full database updates, still, should find and remove the ColdLock Ransomware in most attacks.

The sheer intricacy of how the ColdLock Ransomware selects what and what not to encrypt makes for a picture of threat actors that know in great detail what they want to hold for a ransom. Such specificity of targeting methods is a showing of just how valuable mere data is, and why one must go to great lengths for protecting it equally.