Incident Response, Malware, TDR

Errors in ZeroLocker means paying ransom may not decrypt files

Researchers with Kaspersky have identified a piece of ransomware known as ZeroLocker that asks for $300 in Bitcoin – followed by $500 and then $1,000 if the victim waits.

The encryption key and other data sends through a GET request that results in a 404 error on the server, meaning that paying up likely does not end in files being decrypted, according to a post.

ZeroLocker encrypts all files on the system, with the exception of files larger than 20MB and files in directories including the words ‘Windows,' ‘WINDOWS,' ‘Program Files,' ‘ZeroLocker,' and ‘Desktop,' the post indicates.

The ransomware uses a random 160-bit AES key for encryption and bruteforcing is not possible, according to the post, which adds that the cipher.exe utility runs after encryption, removing unused data and making recovery of files tougher.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.