Zlocker Ransomware
Posted: December 18, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 8/10 |
---|---|
Infected PCs: | 38 |
First Seen: | October 28, 2022 |
---|---|
OS(es) Affected: | Windows |
The Zlocker Ransomware is a file-locker Trojan that may encipher popular media types, including pictures, spreadsheets, databases, documents or archives. The illegible files only can convert back to a usable format after providing the decryption key, which the Zlocker Ransomware's threat actor sells. Backups and free decryptor applications can help any victims with file recovery, and malware experts suggest having your anti-malware programs delete the Zlocker Ransomware whenever they detect it.
It's Always Snowing Trojans in Russia
As the state of software-based extortion and data sabotage techniques evolves with the threatening software industry, so, too, does the nature of its victims. Despite it having a relatively small economy in comparison to first-world nations, Russia is starting to become a thematic touching point for more and more file-locking Trojans than ever before. Malware analysts are only just identifying another, minor release in this threat category for the country: the Zlocker Ransomware, thanks to a so-called 'Guchinov_2.'
Guchinov is developing the Zlocker Ransomware with a four-year-old version of Visual Studio and shows no indication of having either significant experience or resources with this sub-section of the Trojan industry. Advertising related to the Trojan is on some 'Dark Web' sites frequented by various threat actors even though the Zlocker Ransomware has no other characteristics common to RaaS projects. Current features of the Zlocker Ransomware that malware experts confirm include:
- The Zlocker Ransomware can scan your computer for any specific format of media and encrypts all files that fit its parameters, such as JPG pictures or TXT documents. Encryption renders the affected file non-legible to their associated applications, but, in theory, is reversible with a cipher-specific code.
- The Zlocker Ransomware marks any content it locks by inserting a '╘' box-drawing character at the end of the name, after the extension. This choice is unconventional; most file-locking Trojans replace or append the extension with another one of their own (for example: 'tree.gif.locked').
- Guchinov also uses the Trojan for placing a text message on the PC. These Russian-language instructions tell the users to pay a five thousand fee in Russian rubles and provides a phone number for further negotiations on restoring their media.
Malware experts require further analysis of the Zlocker Ransomware before concluding on its encryption protocols and whether the users may be able to recover content by themselves.
Some Easy-to-Make Mistakes in Cyber-Extortion
The evidence of Guchinov's inexperience with this form of extortion is relatively easy to confirm with just the Zlocker Ransomware's base components. Besides revealing what may be his real name, Guchinov also uses a potentially traceable phone number and a cash-transfer service, Qiwi, with less stability and security than the traditional Bitcoin ransoms significantly. Russian law enforcement will have few issues with tracking this threat actor unless he takes further precautions.
The infection strategy of greatest prominence for the average, file-locking Trojan is an e-mail spamming campaign using corrupted, and often document-based, attachments. Some threat actors also install Trojans of this classification by brute-force-compromising a remotely-accessible PC or distributing it in illicit software networks (with a fake name). Anti-malware programs don't include any decryption features for recovering the content that this Trojan locks, but they can remove the Zlocker Ransomware immediately, which malware experts suggest.
The Zlocker Ransomware is a Trojan with limited features and a 'bargain' asking price for its ransom. These facts may make recovering from an infection relatively easy, but a responsible PC user always will make doing so unnecessary with their preemptively safe behavior.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.