NinjaLoc Ransomware

The NinjaLoc Ransomware is a Trojan that displays ransoming messages for your files via both text messages and an interactive, graphical pop-up. Future builds of the NinjaLoc Ransomware may include an encryption feature for locking work on your computer, although such attacks aren't evident in the current samples. Any file recovery that's necessary should be achieved by non-ransom-based means, if possible, and most anti-malware applications should detect and delete the NinjaLoc Ransomware without issue.

The Ninja Program that Forgot His Weaponry

A threat actor borrowing graphics referencing the Insane Clown Posse's 'jugallo' fandom is preparing to launch a campaign of extorting money after locking his victims' files. The new Trojan, the NinjaLoc Ransomware, isn't part of Hidden Tear's freeware collective or a Ransomware-as-a-Service entity like the Scarab Ransomware and is an independent 'pet' project. Malware researchers can't confirm any actual encryption attacks from the NinjaLoc Ransomware, although most of the traditional features of a file-locker Trojan are in place.

The NinjaLoc Ransomware's file-locking feature is in-progress, but most attacks of this format will isolate non-essential documents, pictures, and other, small-sized media that's valuable to the user, and convert the file's data using any of several encryption standards (AES-256, RSA, XOR, etc.). The NinjaLoc Ransomware also may or may not make other changes to the filenames, such as adding extensions or converting them into Base64-encoded equivalents. The NinjaLoc Ransomware's ransoming properties are complete, however, along with a prototype of its 'unlocking' service.

The NinjaLoc Ransomware drops a simple Notepad message with its Bitcoin-based ransoming demands and also creates an HTA GUI in a pop-up format. The latter shows a skull symbol with links to the jugallo fandom's social media and includes standard elements like an adjustable Bitcoin wallet field and a form for inputting the decryption key. The latter is static and consists of the string '1337' entered twenty-three times (in other words, '13371337133713371337133713371337133713371337133713371337133713371337133713371337133713371337'). Victims should test this password before making any decisions regarding the ransom.

Taking the Skull and Crossbones Out of Your File-Saving Solutions

The NinjaLoc Ransomware's built-in decryption feature deactivates a critical Windows feature, the Windows File Protection, that prevents unauthorized programs from making unsafe system changes. However, malware researchers note that this change is temporary and is, apparently, only in place as a means of running the decryptor's executable, which the Trojan drops into the System32 directory. Rebooting the PC should prompt Windows to ask if you wish to re-enable this security feature.

As an in-progress Trojan with future pretensions of locking files, the NinjaLoc Ransomware offers no evidence for any analysis on how it might circulate or how secure its encryption could be against freeware decryptors. E-mail attachments and brute-force attacks against poorly-maintained login credentials are two of the most important but by no means only infection vectors for file-locker Trojans of most families. Malware experts suggest having an anti-malware product scan all new downloads and use such software for uninstalling the NinjaLoc Ransomware infections, which do make changes to your Windows systems folders.

The NinjaLoc Ransomware provides no immediate impetus for backing your files up somewhere else but is a possible warning of future attacks that might arrive. Instead of trusting that its password will remain just as easily crackable as it is right now, users should consider other means of protecting their media.