DeriaLock, a new entrant into Ransomware Family

Ransomware, Threat

derialock-ransomware

A new ransomware named DeriaLock has been identified by a malware analyst, which locks victim’s computer screen and requests a payment of $30.

The ransomware invites the victim to contact the DeriaLock author via Skype and pay the crook $30 said the security researcher Karsten Hahn.

DeriaLock has been identified locking victim’s computer screen and preventing users from accessing their files or applications. It leaves the data intact.

DeriaLock comes into observation after an unknown Total Virus user has uploaded the ransomware’s binary file on the portal for free analyzes suspicious files and URLs.

Once launched into execution, DeriaLock will take the computer’s Machine Name identifier and generate an MD5 hash. The ransomware then contacts its command and control (C&C) server and retrieves the most current version of itself.

The DeriaLock source code includes hardcoded MD5 hash for security researcher suspects Screen Locker won’t start.

DeriaLock Ransomware Code
DeriaLock Ransomware Code

Once the DeriaLock has retrieved its current version, it runs and starts screen lock operation. With Heading, YOUR PC IS LOCKED BY DERIALOCK! screen locker ransomware starts showing ransom note.

DeriaLock Ransomware
DeriaLock Ransomware Ransom Note

Once it has locked the screen, it goes and kills multiple windows processes along with the process responsible for screen lock.

The process includes; taskmgr, regedit, msconfig, utilman, cmd, explorer etc.

To get the screen unlocked, beside 30$, the user needs to provide its systems Hardware ID to the crook. The DeriaLock author then places the HWID on its server. DeriaLock agent running on user’s computer once reaches command & control server, it looks up for the HWID as well. If the ID is found on the server, the ransomware unlocks the screen.

Currently, the delivery method of the screen locker ransomware is still unknown to the researchers.

During the time of publishing, Virus Total shows detection ratio of 27/55 for the “systemlocker.exe” file, the original executable file which brought DeriaLock into observation. Beside this, major anti-virus engines have marked the file as suspicious or malicious. The anti-virus engines have recognized the file as suspicious or malicious includes Symantec, Kaspersky, McAfee, Sophos and Trendmicro.

The anti-virus engines have recognized the file as suspicious or malicious includes Symantec, Kaspersky, McAfee, Sophos and Trendmicro.

VirusTotal Detection Ratio
VirusTotal Detection Ratio