Security researchers from Malware Must Die uncovered new ransomware called PrisonLocker, and said the malware author is either a legitimate security researcher or is posing as one via a personal blog and Twitter handle.
Malware Must Die has monitored PrisonLocker’s development since spotting it for sale on an underground criminal hacking forum in November. The ransomware, also known as PowerLocker, is all-but ready for sale. At the moment, it appears to lack a completed graphical user interface and is still undergoing quality assurance tests. Once it’s ready, the creator claims he will sell the malware for roughly $100 per license, which can be paid using cryptocurrency Bitcoin.
According to specifications listed by the author in a number of locations, the PrisonLocker infection process will begin with a Trojan that drops a single executable file into a temp folder. Following successful installation, PrisonLocker is designed to encrypt nearly every file on infected machines, including those on hard drives and shared drives but excluding .exe, .dll, .sys, and other system files. According to a Pastebin post from Dec. 19, PrisonLocker will deploy the Blowfish cipher, and each infected machine will have a corresponding Blowfish decryption key that is encrypted using RSA AES 2048-bit encryption.
Other features include persistence through Windows registry keys, disabling infected users’ Windows and escape buttons, and blocking task manager, command prompt, registry editor, and other Windows utilities.
Like CryptoLocker, infected users will be given a predetermined amount of time to pay the ransom before the decryption key is forever deleted. Whoever administers the ransomware will have the ability to choose the preset amount of time and pause or reset this deletion clock in order to examine ransom payments. Other customizable features include naming and placing the infection file, determining the ransom amount and method of payment, and the establishing the username and password for the administrative panel, which is set as “admin” and “admin” by default.
PrisonLocker also boasts a number of analysis prevention features. Its author claims it detects basic virtual machine, sandbox, and debugger environments. The malware will also set up what its creator calls a “locked window in a new desktop.” This, the creator claims, will render useless the “alt+tab” command and, thus, all other applications. Beyond that, even if a user manages to escape the locked window, PrisonLocker includes a module that forces the locked window to the forefront of the user’s desktop every few milliseconds.
Interestingly, the ICQ messaging ID and email address associated with the malware author’s handle (gyx) on a number of sites is also associated with the twitter handle @Wenhsl and the security blog Wenhsl[.]blogspot[.]com. In that Twitter profile’s bio, the user describes himself as the following:
“Security enthusiast. Novice infosec/malware researcher and cybercrime analyst. C/C++ and currently polishing up my MASM.”
PrisonLocker is written in C++. Malware Must Die suggests that the author may either be double dipping as a security researcher and a criminal, or merely pretending to be a benevolent security researcher to cover his tracks as a criminal. Malware Must Die contacted various law enforcement agencies and provided this information to them.