Home Malware Programs Ransomware Zlocker Ransomware

Zlocker Ransomware

Posted: December 18, 2017

Threat Metric

Threat Level: 8/10
Infected PCs: 38
First Seen: October 28, 2022
OS(es) Affected: Windows

The Zlocker Ransomware is a file-locker Trojan that may encipher popular media types, including pictures, spreadsheets, databases, documents or archives. The illegible files only can convert back to a usable format after providing the decryption key, which the Zlocker Ransomware's threat actor sells. Backups and free decryptor applications can help any victims with file recovery, and malware experts suggest having your anti-malware programs delete the Zlocker Ransomware whenever they detect it.

It's Always Snowing Trojans in Russia

As the state of software-based extortion and data sabotage techniques evolves with the threatening software industry, so, too, does the nature of its victims. Despite it having a relatively small economy in comparison to first-world nations, Russia is starting to become a thematic touching point for more and more file-locking Trojans than ever before. Malware analysts are only just identifying another, minor release in this threat category for the country: the Zlocker Ransomware, thanks to a so-called 'Guchinov_2.'

Guchinov is developing the Zlocker Ransomware with a four-year-old version of Visual Studio and shows no indication of having either significant experience or resources with this sub-section of the Trojan industry. Advertising related to the Trojan is on some 'Dark Web' sites frequented by various threat actors even though the Zlocker Ransomware has no other characteristics common to RaaS projects. Current features of the Zlocker Ransomware that malware experts confirm include:

  • The Zlocker Ransomware can scan your computer for any specific format of media and encrypts all files that fit its parameters, such as JPG pictures or TXT documents. Encryption renders the affected file non-legible to their associated applications, but, in theory, is reversible with a cipher-specific code.
  • The Zlocker Ransomware marks any content it locks by inserting a '╘' box-drawing character at the end of the name, after the extension. This choice is unconventional; most file-locking Trojans replace or append the extension with another one of their own (for example: 'tree.gif.locked').
  • Guchinov also uses the Trojan for placing a text message on the PC. These Russian-language instructions tell the users to pay a five thousand fee in Russian rubles and provides a phone number for further negotiations on restoring their media.

Malware experts require further analysis of the Zlocker Ransomware before concluding on its encryption protocols and whether the users may be able to recover content by themselves.

Some Easy-to-Make Mistakes in Cyber-Extortion

The evidence of Guchinov's inexperience with this form of extortion is relatively easy to confirm with just the Zlocker Ransomware's base components. Besides revealing what may be his real name, Guchinov also uses a potentially traceable phone number and a cash-transfer service, Qiwi, with less stability and security than the traditional Bitcoin ransoms significantly. Russian law enforcement will have few issues with tracking this threat actor unless he takes further precautions.

The infection strategy of greatest prominence for the average, file-locking Trojan is an e-mail spamming campaign using corrupted, and often document-based, attachments. Some threat actors also install Trojans of this classification by brute-force-compromising a remotely-accessible PC or distributing it in illicit software networks (with a fake name). Anti-malware programs don't include any decryption features for recovering the content that this Trojan locks, but they can remove the Zlocker Ransomware immediately, which malware experts suggest.

The Zlocker Ransomware is a Trojan with limited features and a 'bargain' asking price for its ransom. These facts may make recovering from an infection relatively easy, but a responsible PC user always will make doing so unnecessary with their preemptively safe behavior.

Loading...