This is a quick analysis of a newly discovered ransomware called File-Locker. This brief will contain technical information related to how it infects a computer, how it is distributed, and whether it can be decrypted or not.

File-Locker Summary

The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim’s are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back.  This ransomware uses AES encryption with a static password of “dnwls07193147”, so it is easily decryptable.

Static Password

When encrypting a file it will append the .locked extension to the filename.

Encrypted Folder
Encrypted Folder

The file extensions targeted by this ransomware are:

.txt, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg, .java, .csv, .kdc, .dxg, .xlsm, .pps, .cpp, .odt, .php, .odc, .log, .exe, .cr2, .mpeg, .jpeg, .xqx, .dotx, .pps, .class, .jar, .psd, .pot, .cmd, .rtf, .csv, .php, .docm, .xlsm, .js, .wsf, .vbs, .ini, .jpeg, .gif, .7z, .dotx, .kdc, .odm, .xll, .xlt, .ps, .mpeg, .pem, .msg, .xls, .wav, .odp, .nef, .pmd, .r3d, .dll, .reg, .hwp, .7z, .p12, .pfx, .cs, .ico, .torrent, .c"

When done encrypting files, it will create a ransom note on the desktop called Warning!!!!!!.txt.  This ransom note is in both Korean and English and demands 50,000 won in bitcoin as a ransom payment. Strangely, the bitcoin address given in the Korean portion is for an account…