Locker ransomware is a type of malware that locks users out of their devices and demands a ransom payment in order to regain access. It works by encrypting files on the infected device and preventing normal system operations. Once installed, locker ransomware displays a full-screen message that prevents access to the desktop and applications. The message demands that the victim pay a ransom to obtain the decryption key needed to unlock their files and system. If the ransom is not paid, the files remain encrypted and inaccessible.
How does locker ransomware infect devices?
Locker ransomware typically infects devices through malicious email attachments, compromised websites, or fake software updates. The malware may be disguised as an innocent file like a document or image. Once opened, it installs itself and executes code that locks down the system. Locker ransomware can also spread through unsecured connections, infected external drives, and social engineering tactics.
Some common infection vectors include:
- Opening email attachments from unknown senders
- Visiting compromised websites that trigger a download
- Clinking on malicious ads or pop-ups
- Installing fake software updates
- Plugging in infected USB or external drives
The malware often uses social engineering to trick users into installing it. The messages may appear to come from a legitimate source and convince the user to bypass security warnings. Once executed, the locker ransomware payload activates and locks the device.
What happens when locker ransomware infects a device?
Once installed, locker ransomware uses encryption algorithms to lock files on the infected device. It targets documents, media files, system files, and more. The malware scrambles the contents of these files by generating complex encryption keys. Without the proper decryption key, the files become inaccessible.
In addition to encrypting files, most locker ransomware locks down system functions. It blocks the desktop, disables Task Manager, and prevents apps from launching. Some variants turn off WiFi and Bluetooth connectivity. The ransomware essentially cages the entire system and prevents normal usage.
After locking the device, the malware displays a full-screen ransom message. This message explains that files have been encrypted and demands a payment to decrypt them. The ransom period is limited, often 72 hours or less, to spur fast payment. The message provides instructions for how to pay the ransom, usually in Bitcoin or other cryptocurrencies.
Common locker ransomware screens
Locker ransomware displays intimidating ransom screens that take over the infected device’s display. Some common examples include:
- “Your computer is locked for illegal activities.”
- “Your files are encrypted. Pay fine or lose files.”
- “Your data is locked. Pay $500 within 24 hours.”
- “Files encrypted. Send 1 Bitcoin in 48 hours for decryption key.”
These full-screen messages are difficult to close or bypass. Their goal is to force victims to pay the ransom to free their system.
How does the ransom payment process work?
If the victim pays the ransom, the attackers provide instructions for recovering files. This recovery process relies on a decryption key that unscrambles the encrypted data. Attackers handle ransom payments and key distribution in several ways:
- Automated payment sites: Some ransomware uses a customized payment portal that automatically verifies payment and releases the encryption key for download.
- Email instructions: Payment confirmation and decryption keys may be handled through email communication.
- Live chat support: Attackers may provide a chat window for ransom payment support and key delivery.
The quickest and most automated options charge the highest ransoms. Ransom amounts usually range from $200 to $1000 or more. Paying the attackers provides no guarantee files will be recovered, however.
What techniques does locker ransomware use?
Locker ransomware uses the following techniques to take over target devices and demand ransom payment:
System locking
By disabling the desktop, Task Manager, and other system functions, the malware prevents accessing files, apps, or system settings to remove infections.
Full-disk and file encryption
Locker ransomware encrypts files stored on the hard drive, external storage, shared drives, and other connected devices.
Persistent execution
The malware adds registry keys, services, and other persistence methods to repeatedly execute on boot or login.
Anti-removal tactics
Locker ransomware blocks security software and prevents victims from resetting passwords or accessing safe mode.
Ransom screen
A full-screen message demands ransom payment in order to decrypt files and unlock the system.
Time limit countdown
A countdown clock pressures victims to pay quickly before the ransom price increases or decryption becomes impossible.
Cryptocurrency payment
The ransom is collected through anonymous cryptocurrency wallets instead of more traceable payment methods.
What are some notorious locker ransomware strains?
Many locker ransomware variants have inflicted damage on businesses and consumers. Some of the most widespread and destructive examples include:
Reveton
One of the first major locker ransomware strains uses law enforcement themes. It falsely claims illegal activity was detected to convince victims to pay fines using prepaid cards or money transfers.
Locky
Locky emerged in 2016 and initially spread through spam email campaigns. It encrypts over 160 different file types and scrambles file names.
Jigsaw
After infecting systems, Jigsaw begins deleting encrypted files every hour until the ransom is paid. It also uses creepy ransom messages and imagery.
Petya
Petya overwrites the master boot record, encrypting the master file table and preventing system booting. It spreads rapidly through internal networks.
Who is behind locker ransomware attacks?
The attackers who develop and distribute locker ransomware aim to extort money from businesses and individuals. Some responsible cybercriminal groups include:
- Organized cybercrime gangs seeking profits
- Individual hackers and malware developers
- Groups funded by hostile nation states
- Ransomware-as-a-service offerings
It only requires basic technical skills to purchase ready-made ransomware kits on the dark web. Other locker ransomware operations run like businesses complete with customer service call centers. Attackers put significant effort into call centers and payment sites to extract maximum ransom from victims.
Why is locker ransomware so dangerous?
Locker ransomware presents several dangers that make it a highly disruptive threat:
- Prevents access to essential files, applications, and devices
- Inflicts downtime and business disruption
- Difficult for many victims to recover files without paying
- Costly to organizations in ransom payments and recovery efforts
- Damages computers due to system changes and file deletions
The consequences are severe for businesses if critical servers are compromised. Lost sales, reduced productivity, and reputational harm can result from locker ransomware attacks.
How much does locker ransomware cost victims?
According to research, the average total cost paid by organizations for each locker ransomware attack is now over $250,000. Costs add up due to:
- Business disruption
- Revenue and productivity losses
- Technical investigation
- Ransom payments
- File recovery / system restoration
Small businesses can suffer disproportionately severe consequences from an attack. However, ransom payments are normally a fraction of total recovery costs.
Should ransom payments be made?
There are risks to paying locker ransomware demands. The FBI and most security experts warn against paying ransom because:
- It encourages more attacks and provides funds for cybercriminals
- There is no guarantee files will be recovered
- It signals vulnerable organizations willing to pay
However, when critical systems and data are impacted, some organizations feel a ransom payment is the most cost-effective way to resume operations. Each victim needs to evaluate the pros and cons of paying ransom based on their unique situation.
How can locker ransomware infections be prevented?
The most effective way to avoid locker ransomware is by preventing it from infecting devices in the first place. Organizations should focus on:
- Email security and spam filtering
- Web gateway security and DNS filtering
- Patch management to eliminate software vulnerabilities
- Next-generation antivirus with behavior detection
- Restricting administrative privileges
- Employee cybersecurity training
- Regular offline backups
These proactive security measures make it much harder for locker ransomware campaigns to succeed. Segmenting networks also limits the ability of ransomware to spread if it gets through defenses.
How can an active locker ransomware infection be stopped?
Once a device is infected, locker ransomware can be difficult to remove without paying the ransom. Options to stop an active infection include:
- Isolate the infected device from networks immediately
- Use ransomware decryption tools from security firms
- Restore from clean backups not impacted by encryption
- Perform a factory reset or reinstall the operating system
- Leverage cloud or shadow copy backups to restore files
- Hire incident response experts for recovery assistance
These solutions aim to restore system access without paying ransom. However, they can result in permanent data loss. Organizations should have an incident response plan ready for a quick response to maximize chances of stopping an active infection.
Should law enforcement be contacted?
It is generally recommended to contact law enforcement if your organization is impacted by a locker ransomware attack. Reporting the crime can potentially help identify the attackers. The FBI and international law enforcementsometimes are able to track ransom payments or exploit flaws in ransomware kits to decrypt files. Reporting attacks also provides important data that helps law enforcement detect emerging criminal campaigns and methods.
Conclusion
Locker ransomware is a prevalent threat capable of severely impacting businesses and end users. Understanding how it works, spreads, and infects systems helps improve defenses against attacks. While ransomware techniques continue to evolve, the same security best practices hold up against new and old variants alike. With strong technical controls and staff education, organizations can reduce both the frequency of successful attacks as well as the impact ransomware can inflict.