Incident Response, Malware, TDR

New ransomware, more insidious than CryptoLocker, to go on market

Researchers warn that a new threat, using harder-to-crack encryption methods than comparable ransomware, may hit the black market soon.

The malware, which locks users out of their computer until they pay a ransom, is being called Prison Locker and Power Locker on underground forums, according to a Friday blog post at Malware Must Die.

According to researchers for the blog, a user in an underground forum who goes by the online alias “Gyx,” first announced he was working on the ransomware on Nov. 20.

Gyx later tested the waters again on Dec. 7th (see screenshot), alerting potential buyers that “substantial progress” had been made in the malware's development.

When a user is infected with Prison Locker, the locker module of the malware opens a new display window and disables Windows and the users' escape key. Other Windows processes, like taskmgr.exe and cmd.exe, are also disabled, making a Ctrl+Alt+Del out of the window impossible, screencaps from the underground forum showed.

The malware author also designed Prison Locker to accept payments from victims via Bitcoin, or through online payment systems like uKash and Paysafe (though those options could change or expand before the ransomware's release).

A major factor that makes the malware more sinister than CryptoLocker, other ransomware discovered last fall, is that the new malware is said to use a “practically unbreakable encryption” process to keep users' files hostage, according to Gyx.

In an online discussion had Dec. 9 with a potential buyer, Gyx explained Prison Locker''s advanced features.

“I have changed the first level of encryption to BlowFish, and a unique BlowFish key is generated for each file,” Gyx wrote. “That BlowFish key is then encrypted with an RSA key specific to the PC, then the RSA block is stored with the file to be decrypted later.”

CryptoLocker, which came on the radar last September and also accepted Bitcoin payments as ransom, was noted as having infected more than 12,000 victims in less than a week at one point. Massachusetts police were also infected by the malware and handed over a $750 ransom to unlock files claimed by CryptoLocker.

Despite details about Prison Locker being disclosed by Malware Must Die, the release of the malware is still planned to continue, researchers warned. Sellers have marketed the price at $100.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.