Sauron Locker Ransomware

The Sauron Locker Ransomware is a file-locker Trojan for Android devices such as smartphones. It blocks the files on your phone and displays a wallpaper that asks for a ransom in one of several cryptocurrency denominations. Users can scan downloads for threats like Trojans and have their anti-malware programs remove the Sauron Locker Ransomware infections safely.

The Professor Didn't Foresee this Misuse of His Archvillain

A new kind of file-locking Trojan is appearing, and this one is ignoring computers in favor of mobile Android devices such as smartphones. The Sauron Locker Ransomware, whose name references the warlord-dictator of Tolkien's 'The Lord of the Rings,' is in deployment with at least one ransom collected from a victim in Germany. While it supports remote unlocking afterward, there's no guarantee that the threat actor will behave as the Trojan asserts.

The Sauron Locker Ransomware implements an encryption attack with no visual symptoms that malware researchers can find – besides the fact that most files on the device will not open, once it finishes. After completing the data-locking attack against documents, pictures, etc., the Trojan hijacks the wallpaper and repurposes it into being a ransom note. It also shows a similar warning as a screensaver.

The threat actors maintaining the Sauron Locker Ransomware include non-negligible support for global campaigns, which could indicate that they're hiring it out to others. Depending on the user's location, the Sauron Locker Ransomware supports different languages and even different ransoming fees – for example, US residents pay more than users in most other countries. The threat actor tracks payments from a panel that displays statistics like the phone's version of Android, the country, and the cryptocurrency (Dogecoin, Litecoin, or Bitcoin).

Forcing Flaming Eyes to Blink

The Sauron Locker Ransomware's activity shows that its campaign has been around since, at least, late 2018, and possibly long before that. Malware researchers find current samples using fake 'Clash Royale' gaming application as their disguises, which could trick users into installing them through the Google Play store or from a third-party website. Users can scan their downloads with appropriate security solutions for detecting file-locker Trojans and other threats.

Like Windows or other, desktop OSes, Android includes a Safe Mode feature that can disable third-party software, including applications such as the Sauron Locker Ransomware. Victims of infection can do this before running anti-malware scans for disinfecting their device in its entirety. However, backups are mandatory for data recovery without paying even if cyber-security products can remove the Sauron Locker Ransomware easily before or after an attack.

Villainy comes under many names, but one like the Sauron Locker Ransomware takes advantage of weak data-saving habits, more than anything else. Fortunately, means of protection – including both security solutions and file-redundancy ones – make fighting on the defense easier for Android owners than Middle-Earth's warriors.