Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Beware PowerLocker Ransomware

Chatter on underground forums traces development of Blowfish-based shakedown malware that encrypts infected PCs.

A new generation of ransomware known as PowerLocker -- aka Prison Locker -- is designed to lock PCs using uncrackable crypto.

That warning was sounded Friday by Malware Must Die, a group of self-styled anti-malware crusaders. "Malware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads," the group said in a blog post that detailed what they'd learned about PowerLocker's creator and about the malware's purported features and functionality.

In a Dec. 19 post to Pastebin, PowerLocker's developer said that his malware -- which was then due for imminent release -- used the Blowfish symmetric-key block cipher to encrypt all personal data stored on a PC, and then encrypted those ciphers using 2048-bit RSA encryption.

"A unique BlowFish key is generated for each file. That BlowFish key is then encrypted with an RSA key specific to the PC, then the RSA block is stored with the file to be decrypted later," said PowerLocker's developer, who uses the handle "gyx."

[What security trends do you expect to see this year? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Advertised PowerLocker features also include a customizable length of time before the bot uninstalls itself, the ability to customize the name and location of the malware file dropped during the infection, and the amount of money demanded by the ransomware before the data will be decrypted. Users -- meaning attackers -- can receive related payments via Bitcoin e-voucher codes as well as Ukash and Paysafe. "The bot has an HTTP panel which will be used to control slaves and receive payment codes entered by slaves," said the developer. "You can either approve or deny -- resetting the removal clock duration, specified by you during purchase -- a payment code, and then unlock/decrypt files on the PC -- identified by its IP."

PowerLocker costs $100, payable in bitcoins, while future upgrades -- or "rebuilds" -- will cost $25. Finally, a "ghost panel" -- referring to an innocuous-looking access panel that can be used to disguise the underlying malicious infrastructure on a server -- will cost $20.

Malware Must Die said that by publicizing the intelligence it's gathered on PowerLocker and its developer, it's not trying to stoke ransomware fear, uncertainty, and doubt. Rather, the group hopes that multiple law enforcement agencies and national computer emergency response teams will launch related investigations and nip PowerLocker sales in the bud. "If released... this will be more [of a] headache for researchers, industry and LEA -- law enforcement agencies," the group warned, "so after [an] internal meeting we decided to disclose it."

Indeed, PowerLocker's play is to offer low-cost ransomware attacks for the cybercrime masses. For comparison purposes -- as noted by Ars Technica -- previous types of ransomware largely appear to have been developed by a particular gang and used only by that gang.

Many previous types of ransomware have also been heavy on scare and social engineering -- aka trickery -- tactics, but they have not necessarily been difficult to defeat using anti-malware software. The Reveton malware, for example, may flash a "Threat of Prosecution Reminder" on the screen of an infected PC saying that their system has been locked after attempts to access child pornography or other illegal content were detected. But if the user agrees to pay a fine, typically in bitcoins or another virtual currency, the malware promises that the whole matter will be dropped. The malware may also be localized so that the warning is labeled as being from a relevant law enforcement agency -- for example, from the FBI for US-based targets.

Who would fall for such a scam? According to warnings issued by government agencies in the United States and abroad, law enforcement agencies have been besieged by complaints about the malware as well as confessions from consumers who have paid up. Last year, even one Massachusetts police department reportedly paid a related ransom to get its encrypted data back.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/9/2014 | 1:58:06 PM
Re: Ransomware targets?
I spoke with small business owner over the holidays that got hit by one of these. They backup once each day, but the malware hit right before a major backup. Their IT guy looked it over and said it would actually be cheaper and less risky to just pay the ransom -- and so they did.

So there's an example of who pays and why. However, I don't think any type of targeting is done. That would require work. Instead, they try to hit everyone through system vulnerabilities, mass emails, etc.

User Rank: Apprentice
1/8/2014 | 6:17:45 AM
Re: Ransomware targets?

Who's paying these ransomware threats? I'm not aware of any psychological studies (i.e. who's most at risk), but as noted in the story, at least one police department, and no doubt anyone else who doesn't mind coughing up $200 or whatever it costs to make the problem go away are likely payers.

Like a lot of scams, criminals use a shotgun approach, and hit as many people as possible -- young, old, and everywhere in between. If even a fraction of these victims pay, then the attackers hit payday.

Of course, ransomware has that added wrinkle that people's personal data -- photos, emails, documents -- might get deleted, unless they pay. In addition, PowerLocker's creator touted the ability to lock the PC, disabling the Windows Task manager, the use of control-alt-delete, or any attempt to hid the ransom screen. Simply being able to use their PC again would likely scare a lot of people into paying up. 

User Rank: Apprentice
1/8/2014 | 6:16:05 AM
Re: Ransomware targets?

Great tip, which applies regardless of device or platform (i.e. desktop, laptop, or mobile device -- especially Androids). One feature being touted by PowerLocker's developer, notably, is the ability to encrypt not only a PC hard drive, but also connected devices, meaning that any attached backup drives might also get encrypted (and the unencrypted personal data then deleted).

Lorna Garey
Lorna Garey,
User Rank: Ninja
1/7/2014 | 5:50:18 PM
Re: Ransomware targets?
I just had a discussion over the holdays with an older relative who is a gifted amateur photographer. He doesn't upload his photos to Picasa or any other cloud service. He has a big box of thumb drives, but mostly, they're on a PC that's probably running XP. It was a bit terrifying.
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
1/7/2014 | 4:09:03 PM
Re: Ransomware targets?
This is another reason to maintain multiple disk backups, some of which are off-network and offsite.
User Rank: Apprentice
1/7/2014 | 3:01:12 PM
Ransomware targets?
Lorna Garey raised a good point recently: Who actually pays ransomware threats? Mat, are they targeting a specific type of user? For instance, preying on older users as many phish scams do?
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.
PUBLISHED: 2020-11-27
Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerability which allows unauthenticated attackers to view files from the operating system.