KillerLocker Ransomware

By | July 30, 2017

We have received reports of yet another ransomware. KillerLocker ransomware is not vastly different from other ransomwares that we have seen in the past. It encrypts the victim’s files and shows a warning once it finished its job. This time, the warning uses a creepy image of a killer clown. With killer clown attacks all over the news lately, cyber criminals have clearly caught on with the clown craze.

Upon successful infection, KillerLocker opens a window with the clown image and a warning.
Figure 6: KillerLocker warning screen

clip_image001

The text on the warning screen is written in Portuguese and translates to:

“All your files have been encrypted with a very strong AES-256 encryption. Send payment: 000-00 / 00 up to 48 hours. You can not do anything about it and your key will be eliminated in 48 hours!”
Encrypted files are appended with a “.rip” file extension.
Example of encrypted files with .rip extension

clip_image002

System files such as taskmgr.exe and regsvr32.exe are also encrypted. The victim will be unable to reboot his machine since operating system boot related files are also encrypted which will render the machine useless at this point.
Figure: System fails to boot

clip_image003

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature (GAV: KillLocker.A(Trojan). As such Readycrest Proactive support customers using Dell SonicWALL firewalls with a current Gateway Antivirus subscription will be protected against such attacks as. Readycrest also proactively provide and monitor other layers of security and protection to help prevent such attacks manifesting themselves on our customers systems.