Users are being warned that new ransomware called Prison Locker, which is highly dangerous but only costs criminals £61 (US$ 100) to acquire, is likely to flood the market.
Prison Locker, which is also called Power Locker, is based on the notorious CryptoLocker ransomware which was launched in September 2013 and is believed to have infected thousands of computers.
US-based security firm Malware Must Die first identified Prison Locker in a blog post on Friday 3 January. It says that the malware encrypts all files except system files and .exe files on hard drives and shared drives with “practically uncrackable” RSA-2048 encryption.
The researchers have been following the ransomware's development via hacker forums and said it was about to be launched. They immediately notified law enforcement agencies including Interpol, Europol and the FBI.
Their blog quotes the malware author as saying: "I am in the final stages of developing a CryptoLocker which locks a window in place along with encrypting files. If you are interested in buying message me (giving the author's email address). The regular price will be US $100.”
Prison Locker will effectively be sold as a ransomware kit that criminals can customise for their own use. Prison Locker has features designed to prevent it being detected. Infected users will be given a limited time to pay the required ransom before the decryption key is permanently deleted - similar to CryptoLocker.
Crypto Locker typically demands encrypts a ransom of two bitcoins to unlock the victim's files. If users wait more than three days, the ransom goes up to 10 bitcoins.
This week, researchers at Symantec told SCMagazineUK.com that Prison Locker may have already been released into the wild. Senior threat intelligence analyst Stephen Doherty said that they have a copy of ransomware they strongly suspect to be Prison Locker, and are now trying to reverse engineer it.
He warned that it could spread rapidly. “We're keeping an eye on this because we fully believe the capabilities are there and it's being sold for such a small amount it will probably see much more widespread distribution.”
He told SCMagazineUK.com: “It's another CryptoLocker-type threat. This is locking of the screen with encryption and we can envisage many more authors will be adopting this technique and we will see lots of different potential variants of threats that will use this strong encryption. We are starting to see a trend of locking and encrypting files at the same time.”
Doherty said the evidence suggest that the malware author started developing it in 2012 and may have taken ideas from CryptoLocker.
He said users have limited defences available to them and advises users to install up-to-date anti-virus software and back up their files. Infected users may be able to do a system restore to a previous configuration, but only the attacker holds the key to unlocking the computer. Doherty added: “We certainly wouldn't recommend paying the ransom.”
Prison Locker has surfaced shortly after researchers at Trend Micro and ESET detected what they refer to as CryptoLocker 2.0, a new variant with self-replicating abilities that mean it can be spread via USB sticks.