Sleeper function adds devastating wrinkle to Locker cryptoware

News by Tom Reeve

Perhaps it should be renamed the Manchurian candidate, but a new strain of ransomware which has been hibernating on Windows computers has woken up with devastating results.

It is, according to an admin at, wreaking  havoc on a large number of victims.

The admin, Lawrence Abrams, is running a very active forum on the problem and has posted a detailed summary of what's been discovered so far.

The Locker ransomware ran silently on victims' computers until midnight on 25 May local time. On activation, Locker begins to encrypt the victim's files with what is thought to be RSA encryption.

As it doesn't change the file extension, the only way to know that a file is encrypted is to try to open it.

After it finishes encrypting the files, it tries to delete the shadow volume copies and then displays the ransom note along with a helpful interface for paying the attacker with Bitcoins.

Abrams said that it's not clear how the ransomware was installed except that it employs a dropper which is installed in C:\Windows\System32 or C:\Windows\Syswow64.

Locker is not always successful in deleting the shadow volume and it will only target the shadow volume copies on the C:\ drive so it is sometimes possible to restore some if not all of your data after becoming infected with Locker.

Abrams said if you are infected and decide to pay the ransom, do not try to disinfect your computer because the malware is required to reverse the decryption process.

The ransom note also warns that tampering with Locker will result in the permanent deletion of the private key from the attacker's server, rendering your files irrecoverable. 


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews