Threat Management, Incident Response, TDR

Researchers warn of new OphionLocker ransomware

A newly discovered ransomware strain might not have the finest design or be particularly innovative, yet it's still making the rounds online, raking in ransom money and catching researchers' attention.

OphionLocker encrypts data through open source Crypto+++ Elliptical Curve Cryptography with ransoms that vary from country to country, although U.S. ransoms begin at one bitcoin, or about $336, according to a KnowBe4 blog post. The ransomware doesn't vary much from previous iterations of the data-encrypting scheme, but OphionLocker does bring one new touch to the market.

The ransomware strain generates a unique hardware ID based on the first hard drive's serial number, the motherboard's serial number and other information. This ID is ultimately used when a victim is directed to the ransomware site, a Tor2web URL, which counts down until payment is due and lists the ransom required to decrypt files.

“We just don't know yet what their rationale is behind a hardware ID,” said Stu Sjouwerman, CEO, KnowBe4, in a Tuesday interview with “There's speculation.”

Sjouwerman suspects attackers could want to prevent reinfection that might cause the ransomware to encrypt itself, but he can't be sure.

Beyond OphionLocker's methodology and code, not much else is known about the attackers and their home base. It's still too early to tell, said Sjouwerman.

The bright side, he said, is that the ransomware isn't yet deleting shadow volume copies, which could allow victims to recover files using a file recovery tool or specialized program.

He recommended users “be religious” about backup restore and testing the restore function regularly. That way, no one's forced into handing over cash. Security training and patching should also be integrated into enterprises' day-to-day operations.

The KnowBe4 blog post also provided a TorrentLocker update, saying the ransomware has earned $40 million between March and December. Plus, since its discovery in August, TorrentLocker has expanded its operation to include targets in Italy, Czech Republic, Germany and Turkey.

“Ransomware is the biggest headache for IT security people, much more than APTs,” said Sjouwerman. “APTs are a spy who is looking in your building with binoculars and knowing what's going on. Ransomware is a crook with a club who drags you into an alley and hits you over the head.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.