Threat Management, Malware, Ransomware, Threat Management

StalinLocker deletes data if you don’t enter the right code in time

Ransomware is under development that gives victims 10 minutes to enter a code and will delete the contents of a hard drive in the event of failure.

According to MalwareHunterTeam, who discovered the malware, when the malware is run, it plays the Soviet national anthem, which is copied to the %UserProfile%AppDataLocal 
As an mp3 file. 

The malware will also copy itself to the same folder as stalin.exe. It then creates an autorun file called Stalin which, when run, locks the screen and starts off the wiping process.

Also created is %UserProfile%AppDataLocalfl.dat. This decreases the time left to enter a code each time the computer is restarted.

It also attempts to taskmgr.exe and explorer.exe but leaves Skype or Discord alone. Also created is a scheduled task called "Driver Update" that launches Stalin.exe. 

When infected the malware shows a lock screen and a 10-minute timer. Victims are expected to enter a code, which is calculated by subtracting the date 30/12/1922 from the current date. If the correct code is entered, StalinLocker exits and deletes the autorun.

Should a victim fail to enter the code by the time the countdown reaches zero, the malware deletes all files on each drive attached to the computer.

In an interview with SC Media UK, MalwareHunterTeam said that malware came with “no money demand, no contact, nothing”. They added that the malware is “not a variant of anything known” and was first seen some days ago.

They said that if a user gets infected, “best thing he can do is shutdown PC and contact someone who can clean”.

Mark James, security specialist at ESET, told SC Media UK that this type of wiper malware currently seems to have only a destructive nature. It seems to serve no other purpose than to destroy data and gain media attention. 

“For the average end user they will neither have the time or the inclination to find and enter the correct code, so the file wipe will almost certainly be a done deal. Their only protection is going to be good multi-layered internet security software that will detect and delete the offending malware,” he said.

“Having said that, this malware also seves to spread more than the wantonness of deleting your personal files- its use of content could be seen to point blame or attribution to another well-known country."

James Hadley, CEO & founder of Immersive Labs, told SC Media UK that with new malware coming breaking out into the wild every day, such as StalinLocker, or StalinScreamer, it is “vital that security analysts have access to a safe and secure environment where they can analyse and get up close and personal with the latest threats and their traits, in order to understand how best to secure their systems”.  

“Doing so means the difference between keeping up with attackers or lagging sorely behind,” he said.

Javvad Malik, security advocate at AlienVault, told SC Media UK that last year rensenWare locked machines and forced users to get a high score in a game in order to unlock the files.
“Although these kinds of attacks aren't necessarily for profit, the impact is no less. Therefore, enterprises should take all these threats just as serious and invest in security controls that can detect such attacks, so that the appropriate measures can be taken,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.