Ransomware threat ‘Locker’ has sleeper component

Security firm KnowBe4 has issued an alert to IT managers regarding a new strain of ransomware, called Locker, that lies dormant on infected computers until malware operators activate the threat.

After seeing a lengthy thread on Bleeping Computer, which discussed the malware and included screenshots of the warning messages to victims, KnowBe4 quickly spread the word to its own customer base.

In a Wednesday interview with, Stu Sjouwerman, founder and CEO of KnowBe4, said that, given the influx of users around the global reporting infections, cybercriminals may have infected victims for months before the malware was set to activate.

“I would estimate that it [has been] two or three months that these people have been infected and not known it,” Sjouwerman said.

According to the Bleeping Computer discussion thread started this Sunday, Locker ransomware silently ran on victim's computers until Monday at midnight, when it was activated. Then, the malware employed RSA encryption to lock users' files, and in turn requested 0.1 Bitcoin from victims so they could retrieve their data. Different attacks has displayed warning messages with varying versions of the ransomware, including Locker v1.7, v3.5.3,  V2.16, and V5.52, but the version number “does not appear to have any significance,” an admin user on the forum said.

“It should be noted that this infection only clears the Shadow Volume Copies for the C: drive,” the admin added later. “Therefore, if you store data on other drives, you can use the Shadow Volume Copies to restore your data. There are also reports that the infection is not always able to delete any shadow volume copies, so to be safe it is advised that you at least try to restore your files using Shadow Explorer as described in the link [here].”

According to Microsoft, the Volume Shadow Copy Service is a Windows service used for backing up and restoring critical business data in varying circumstances, including when data files are open or still running, or when data sets are large and more difficult to back up at once.

Locker is said to target a number of file types, include .doc, .docx, .ppt, .jpg, .header and .rtf files. The ransomware is also designed to terminate if it detects the use of virtual machine environments.

In his interview with, Sjouwerman said that the attacks were the first time that the firm was made aware of ransomware utilizing a sleeper function.

“The sleeper component is totally new. We've not seen this yet. They would do that to get their infrastructure in place – first infect the maximum amount of workstations and hit when nobody knows that this is occurring so there is no mitigation possible,” he explained.

So far, the new ransomware is believed to have spread  through exploit kits and compromised Minecraft installers downloaded by gamers, but Sjouwerman expects the threat to soon be delivered through phishing attacks.

In the alert, KnowBe4 advised users to backup their data, to “patch early and patch often,” and to avoid clicking on ads, since new strains of malware are sometimes spread through malvertising campaigns. IT managers were also advised to engage employees in security awareness training.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.