EVIL LOCKER Ransomware actively spreading in the wild.

July 16, 2018

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of EVIL LOCKER [EVILLOCKER.RSM] actively spreading in the wild.

EVIL LOCKER encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Contents of the dropper for EVIL LOCKER ransomware

Infection Cycle:

The Ransomware adds the following files to the system:

  • Malware.exe
    • %App.path%\ [File Name].[evil@cock.lu].EVIL
      • Instruction for recovery

Once the computer is compromised, the Ransomware copies its own executable into %Userprofile% folder runs the following commands:

 

The Ransomware encrypts all the files and appends the .EVIL extension onto each encrypted file’s filename.

After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: EVILLOCKER.RSM (Trojan)