Elmers Glue Locker demands $35k but fails to encrypt!

May 26, 2017

Another day, another ransomware! This time, the Sonicwall Threats Research team have discovered a very ambitious new ransomware threat called Elmer's Glue Locker which appears to be in early development. So early that it fails to encrypt any files at all!

Infection Cycle:

The Trojan uses the following icon and metadata:

The Trojan performs no network communication.

The Trojan adds the following files to the filesystem:

  • %APPDATA%LocalPackagesMicrosoft.BingFoodAndDrink_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%LocalPackagesMicrosoft.BingHealthAndFitness_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%LocalPackagesMicrosoft.MoCamera_cw5n1h2txyewyRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%LocalPackagesMicrosoft.WindowsReadingList_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt

HOW_CAN_I_DECRYPT_MY_FILES.txt contains the following text:

      Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.

      Encryption was prodused using unique public key for this computer.

      To decrypt files, you need to obtain private key and special tool.

      To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension.

      Depending on your operation system version and personal settings, you can find it in:



      'C:/Documents and Settings/All Users/Application Data',

      'Your Desktop'

      folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~').

      Then send it to one of following email addresses:







      Your ID: {REMOVED}#4FDBF87A34166C70955ED0ECBC1DDFCD

      Do not worry if you did not find key file, anyway contact for support.

It displays the following information on the desktop background:

It demands that the user sends a hefty sum of 16 Bitcoins to 14Vbyx3SCUvLKj3FWWefEVWAs4jJ9R2qqi (over $35,000 USD at the time of writing) for file recovery.

The message directs the user to open a link to a server that is hosted on the tOr network:


This leads to the following site:

As expected (from ransomware that doesn't work) there has been no transaction activity at the supplied Bitcoin address:

Although there was no file encryption activity when we analysed this sample, the threat is still significant. We expect the creators to add this capability in the very near future.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: ElmerLocker.RSM (Trojan)