Home Malware Programs Ransomware ShellLocker Ransomware

ShellLocker Ransomware

Posted: November 18, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 9
First Seen: November 18, 2016
Last Seen: August 14, 2021
OS(es) Affected: Windows

The ShellLocker Ransomware is a Trojan that encrypts personal media, such as images, to force you into transferring the Bitcoin cryptocurrency to its administrator's account. Although free decryption products are not yet extant for the ShellLocker Ransomware, keeping backups that aren't compromised by the infection can give you another way to recover any blocked content. Malware experts find many samples of this threat using misleading file names, and you should use your anti-malware products to detect and remove the ShellLocker Ransomware during any stage of its attack.

A Trojan Throwing a Net on Your Media

Software compatibility is both important for legal software developers and for con artists, who need to guarantee that their attacks can impact as many victims as possible. For example, the use of Microsoft's famous .NET framework allows coders to design programs compatible with most versions of Windows. Unfortunately, it's just as easily turned to the purpose of enabling threatening software, including the NoobCrypt Ransomware, the SNSLocker Ransomware and the ShellLocker Ransomware.

The last of those three is the youngest, bearing compilation and distribution dates of early to mid-November. System introduction methods for the ShellLocker Ransomware disguise its Trojan installer as being a text document. In actuality, it's a batch file that uses CMD to install the ShellLocker Ransomware, after which the Trojan scans your PC for media, like documents, images or video formats.

Each piece of data that matches the ShellLocker Ransomware's format and directory 'hit list' is run through a simple encryption algorithm that encodes them with a cipher. After blocking you from your content, the ShellLocker Ransomware loads a Web pop-up relaying its instructions for paying Bitcoins to recover all the encoded data. Like many campaigns of file-encrypting Trojans also seen this year, malware experts also can verify this Trojan using a timer to hasten the payment process by threatening to delete your files at zero.

Cracking Open the Trojan Shell that's Keeping What's Yours

Since the ShellLocker Ransomware uses the .NET platform, its compatibility with most Windows PCs is very high, although non-Windows computers should be unaffected. PC owners having problems with identifying the affected files the Trojan is holding for ransom can search for the ShellLocker Ransomware's new extension, the '.L0cked' string. Non-local backups are the most often recommended recovery resource against file-encrypting Trojan attacks, and e-mail is the most common infection strategy, particularly for fake 'document' Trojans.

The ShellLocker Ransomware may try to block the desktop user interface or other applications. Whether or not you're able to launch appropriate anti-malware solutions, using Safe Mode or other secure system-booting techniques can give you a sterile environment for disinfecting your PC. Note that even after deleting the ShellLocker Ransomware with your choice of anti-malware tools, additional efforts are necessary for restoring your data by decryption or other means.

Some sources speculate of the ShellLocker Ransomware being another variant of the Exotic Squad Ransomware, although many of their components are in use by unrelated families of Trojans. Whatever the case of the ShellLocker Ransomware's real origin story, its simple existence is another data point for threat authors continuing to take control of the contents of your hard drive for lucre.

Update December 17th, 2018 — PewDiePie Ransomware

The PewDiePie Ransomware appears to be a joke project that, unfortunately, can cause a lot of harm without providing its victims with a reliable way to recover their files. This file-locker is written in .NET, and the bad news is that it does not appear to store the encryption keys used to lock the files. This means that even its authors will not be able to assist with the recovery of the encrypted files and the only reliable way to get all the data back is to restore it from a backup.

Usually, ransomware authors tend to request a ransom payment in exchange for decryption software, but the crooks behind the PewDiePie Ransomware are after something much simpler – a subscription to PewDiePie (the YouTube channel with the most subscribers.) Of course, PewDiePie did not get his follower base from fraudulent schemes like this one, and the PewDiePie Ransomware is nothing more than an atrocious act perpetrated by some of his viewers. All the files locked by this threat will have the ‘.PewDiePie’ extension added to their names.

There is a chance that the PewDiePie Ransomware might have been created for fun and its authors are not planning to distribute it, but it would not be a surprise if they decide to take the PewDiePie vs. T-Series feud too far. Regardless of their plans, it is advised to take the necessary measures to minimize the PewDiePie Ransomware’s chances of causing permanent damage to your files. There are many tips that you can use to achieve this, but here are the mandatory actions that you should take:

  • Never download files from suspicious Web destinations and stay away from unknown file attachments.
  • Make sure to keep your computer protected by a trustworthy anti-virus program.
  • Back up your important files to safe storage regularly – either offline or the cloud.
Loading...