First spotted on Christmas Eve, DeriaLock ransomware quickly made Santa's naughty list, as it evolved from a simple screen-locker to a full-fledged file encryptor.
First spotted on Christmas Eve, DeriaLock ransomware quickly made Santa's naughty list, as it evolved from a simple screen-locker to a full-fledged file encryptor.

A rapidly evolving ransomware family called DeriaLock made its ignominious debut over the 2016 holidays, but researchers quickly created decryptor software to rescue the files of those unlucky enough to receive this unwanted “gift.”

First detected on Christmas Eve, DeriaLock rapidly transformed from a simple screen-locker to a full-fledged file encryptor that deletes files when victims attempt to reboot their machines.

The malware was discovered on Dec. 24 by Karsten Hahn, a malware analyst with German computer security company G Data. It was found on Google's anti-virus aggregation service VirusTotal, where malware authors often test their creations against popular detection software.

According to a BleepingComputer report, the original malware merely seized control of victims' screens – but by Dec. 26, a new variant actually encrypted users' files.

The ransomware also threatens to delete victims' files if the computer is restarted in an attempt to subvert the malicious program. Originally, that threat was just a bluff, but then an updated version of DeriaLock actually made good on the threat to wipe out the files, according to a Sunday blog post by Check Point Software Technologies.

"Most ransomware[s] make minor changes in their code in order to evade security products; Derialock went further and implemented new file encryption functionality, which is very unusual to do," said Maya Horowitz, group manager, research and development at Check Point, in an interview with SC Media.

“I think that [the] first version that I found was still in development because one button was not working, the buttons were oddly placed, and it was quite buggy, said G Data's Hahn in a Twitter interview with SC Media. "The versions after that one are more likely what the author(s) had in mind right from the start.”

Despite the seriousness of the threat, the ransom demand is a rather merciful $30. “The ransom is usually low if the ransomware targets people rather than companies or institutions,” Hahn continued. “People don't have as much money and they are more likely to pay if the ransom is low.”

The ransom note is written in English, but can be translated into German. A Spanish translation button did not function properly when analyzed. “I believe that the authors of the ransomware might be German based on how the English and German ransom notes are written. The domain for the server is registered to a German address as well,” Hahn explained.

To regain control of their files, victims must contact the cybercriminal via Skype and pay via an unknown method, the BleepingComputer report reads. Victims must also provide their computer's hardware ID code, which the malware distributor then places into a file. The next time the infected computer queries DeriaLock's command-and-control server, it will discover this file, which provides the code to unlock the machine's screen or files. DeriaLock requires Microsoft's .NET Framework 4.5 to be installed and does not work on  XP machines, the report continues.

There are at least two decryptor programs that defeat DeriaLock. One was created by Michael Gillespie, creator of the MalwareHunterTeam's ID Ransomware service. The other is a tool from Check Point, which has made its code available via its website and through the No More Ransom project.

Check Point researchers also recently uncovered and created a decryption tool for a PHP-based malicious cryptor program. Although the company refers to it as ransomware, the program neither posts a ransom note nor offers a mechanism with which to pay.

Discovered in early December on a malicious domain, the script encrypts victims' files “without offering any option to retrieve them,” Check Point explains in its blog. “There is also no attempt made to communicate with a command and control server, which usually enables tracking the number of infected machines, downloading executables or other malignant activities.”

According to Check Point, the PHP script scans an infected system's directories for files containing certain specific extensions. The malicious program then changes the access permissions of these files, allowing it to read and subsequently encrypt the first 2048 bytes of these documents.

"Maintaining ransom payment infrastructure requires great efforts from the threat actor," said Horowitz. "Adding to this the fact that encryption codes are available all over the internet it seems like we are dealing with a new actor who may evolve to a professional one in the future."