Self Assessment

WINDOWS LOCKER RANSOMWARE

Published On : 2025-01-28
Share :
WINDOWS LOCKER RANSOMWARE

EXECUTIVE SUMMARY

CYFIRMA has identified a new ransomware strain, “Windows Locker,” which targets victims by encrypting their files and appending the .winlocker extension to the affected files. Upon infection, the ransomware drops a ransom note named Readme.txt, containing instructions for contacting the attacker or a designated administrator to arrange payment and obtain the decryption key.

INTRODUCTION

A newly identified ransomware strain, “Windows Locker or XDS ” was first observed in December 2024, and has since been widely seen on GitHub. Written in .NET, this sophisticated malware targets victims by encrypting files and appending the .winlocker extension to the compromised files. Upon infection, it drops a ransom note titled Readme.txt, which provides instructions on how to contact the attacker or designated administrator for payment and decryption.

To maintain persistence, “Windows Locker” modifies registry keys, ensuring that it remains active on the compromised system even after a reboot. Additionally, the ransomware employs tactics to delete shadow copies, effectively preventing victims from using system restore points or other standard recovery methods to retrieve their encrypted files.

ANALYSIS

File Name xds.exe / ConsoleApp2.exe
File Size 206.00 KB
File Type Win32 EXE
Signed Not Signed
MD5 Hash 5c86de54f31352ead8d2b3e573ea42fd
SHA 256 1f32f454ba32de5e0b7ed429b3542cdb0a9f826f5f5146f206baf074ec1abfe0
First seen wild December 2024

Capabilities and Execution: the ransomware, identified in the analysis, is a complex and highly malicious program designed to encrypt user data, disable system defenses, and demand a ransom.

Static Analysis

AES Encryption Technique: The Windows Locker Ransomware exhibits a sophisticated and multifaceted approach to compromising systems and extorting victims. Its primary function is to encrypt user files using the AES algorithm with a 256-bit key, rendering them inaccessible without a decryption key. The “AES_Encrypt” function applies encryption using a password-derived key. Upon decoding the password which was encoded in base64 we can see the password as “1337”.

Persistence: The ransomware employs mechanisms to ensure its persistence and propagation. It creates autorun entries in the Windows registry, ensuring it executes upon system startup. The “inicio_void” method creates registry entries in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”, ensuring the malware executes upon startup, with value “discord” and exe “C:\Users\admin\AppData\Local\discord.exe”. Finally, it attempts to delete the “uac_location” file. Copies of the executable are stored in system folders like `%LocalAppData%`.

Additionally, the malware can replicate itself onto all detected removable drives using the ‘USB’ function, storing copies of its executable named “nombre.exe”. These tactics amplify its spread and maintain control over infected systems.

System Modifications: to strengthen its grip, the ransomware disables essential system defenses. It modifies registry entries to turn off Windows Defender, disable Task Manager, and block system hotkeys. Furthermore, it executes commands to disable all firewall profiles, remove shadow copies, and delete backup catalogs. These actions eliminate recovery options and exacerbate the victim’s predicament. Imports external Windows DLLs such as ntdll.dll, shell32.dll, and user32.dll for low-level OS manipulations.

  • The cmd2 method executes registry modifications using ‘cmd.exe’:
  • Disables Windows Defender by setting ‘DisableAntiSpyware = 1’.
  • Disables Task Manager and hotkeys.
  • Firewall and Recovery Disabling:
  • All firewall profiles (domain, private, public) are disabled using ‘netsh advfirewall’ commands.

Recovery options like shadow copies and backup catalogs are deleted using:
“`bash
vssadmin delete shadows /all /quiet
wbadmin delete catalog quiet
“`

Remote Communication: The method conectar() is defined here to download the data.txt file from (`https://example.com/data.txt`) and check the Unique ID for identification of an infected System but in this case this function is under development by threat actor. Thus, we can say that this ransomware is still under development.

Self-Destruction: the program, armed with the ‘autodestruir’ function, takes on a dramatic self-destructive mission. It first retrieves the path to the Application Data folder and identifies the location of its own executable file. With calculated precision, it reads the contents of a file named ‘uac_location’ nestled within the Application Data folder. This content, a crucial piece of information, points to another file that is also targeted for deletion. In a clandestine operation, the program orchestrates the execution of hidden command prompts, crafting commands to delete both its own executable file and the file specified in uac_location. The commands are executed with stealth, ensuring the deletions are forceful and quiet. The autodestruir function meticulously ensures that it leaves no trace behind, efficiently erasing its existence and the specified file from the system and reducing the chances of forensic analysis and detection.

File Encryption Process: The malware initiates its encryption process by targeting critical directories such as Desktop, Documents, and Downloads, recursively encrypting all files except those explicitly excluded, like a README.txt file. The ransomware renames encrypted files with a “winlocker” extension, emphasizing their compromised state.

Desktop Background Modification: The `fondo` method replaces the system wallpaper, displaying a predefined image as part of the malware’s psychological impact. If image.jpg exists in My Pictures, it is set as the desktop wallpaper using the SystemParametersInfo function (SPI_SETDESKWALLPAPER) and then deletes.

If image.jpg does not exist, the ransomware writes its embedded wallpaper (Resources.wallpaper_jpg) to a file named image<random>.jpg in My Pictures, applies it as the desktop wallpaper, and deletes the file.

System Identification

Unique ID Creation: The ‘CreateId’ method generates a unique identifier for the infected system, stored locally, which is a random alphanumeric string with a specified length using a predefined set of characters. The loop ensures each character position is filled with a random character from the set. The StringBuilder is used for efficient string building during the process.

IP Address Retrieval: the ‘GetLocalIPAddress’ function fetches the system’s private IP address for inclusion in ransom notes.

Start Method: The ‘start’ method orchestrates the malware’s activities, including encryption, ransom note generation, system modification, and self-destruction.

Main Method: Checks for network availability and launches the ransomware if connected.

Creation of Ransom Note: The ransomware creates ransom notes in each directory containing encrypted files using the ‘mensaje’ and ‘messageCreator’ methods. The note informs victims that their data has been encrypted using military-grade encryption. Instructions direct victims to join a specified Discord server for payment and retrieval of the decryption key. Personalized details like the system’s unique ID, username, and machine name are included in the note.

Dynamic Analysis

Setup: Dynamic analysis would involve executing the binary in a controlled environment (e.g., a virtual machine with no internet access) to observe its behavior. Due to the malicious potential of the code, all dynamic tests must occur in a sandbox environment.

Observations

File Encryption: The program encrypts files in common directories (Desktop, Documents, Pictures) and appends the .winlocker extension.

Registry Changes alter the registry to disable critical Windows functionalities, such as Task Manager and Defender.

Startup: Next, it adds a file named “discord.exe” in the Local Application Data folder. The ransomware ensures persistence by creating a copy of itself in the LocalApplicationData folder under the name discord.exe and adding a registry entry to execute this file automatically upon system startup. This behavior is implemented in the inicio_void method.

First, the program accesses the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and creates a new value named discord. This value points to the file path C:\Users\<Username>\AppData\Local\discord.exe.

Next, the ransomware checks whether the file discord.exe already exists in the LocalApplicationData folder. If the file is missing, it copies itself (the currently running executable) to that location, ensuring that the malicious payload is persistently available.

Command Execution: Issues destructive system commands to disable recovery mechanisms (vss admin and wmic commands).

Ransom Message: Generates README.txt files in targeted directories with ransom instructions.

EXTERNAL THREAT LANDSCAPE MANAGEMENT

The threat actor included contact details in the ransom note, instructing the victim to join a Discord server (the invite may have expired, or it could be possible that each victim is directed to a different server).

Additionally, the use of Spanish in the code suggests that the developer may be a Spanish speaker.

MITRE FRAMEWORK
Tactic ID Technique
Execution T1059 Command and Scripting Interpreter
Execution T1106 Native API
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1112 Modify Registry
Credential Access T1552.001 Unsecured Credentials: Credentials in Files
Discovery T1012 Query Registry
Discovery T1033 System Owner/User Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Collection T1005 Data from Local System
Collection T1074 Data Staged
Command and Control T1071 Application Layer Protocol
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery
Impact T1491 Defacement

CONCLUSION

The emergence of “Windows Locker” ransomware highlights the need for robust cybersecurity measures to combat increasingly sophisticated threats. CYFIRMA’s intelligence emphasizes the importance of enhancing endpoint protection, segmenting networks, and maintaining secure, offline backups to reduce ransomware risks. Monitoring for registry changes, file extensions, and abnormal behaviors will help identify attacks early. Additionally, fostering a culture of security awareness through regular training can prevent social engineering attacks. Rapid containment, restoring from secure backups, and blocking malicious communications are crucial to minimizing attack impact. By integrating CYFIRMA’s threat intelligence and following the outlined strategic, tactical, and operational recommendations, organizations can strengthen defenses against “Windows Locker” and similar threats. A proactive approach, swift response, and continuous adaptation to emerging tactics are key to protecting sensitive data and ensuring business continuity.

RECOMMENDATIONS

Strategic Recommendations:

Comprehensive Cyber Hygiene Program:

  • Review and Strengthen Endpoint Protection: Ensure that all endpoints are equipped with robust, up-to-date antivirus and endpoint detection and response (EDR) solutions capable of detecting .NET-based malware and sophisticated ransomware like “Windows Locker.”
  • Network Segmentation and Isolation: Implement or refine network segmentation practices to limit the spread of ransomware across systems. Ensure that sensitive systems are isolated from general employee networks, especially those with access to critical data or infrastructure.
  • Backup Strategy Review: Ensure that robust, encrypted backups are regularly created and stored offline or in a secure cloud environment. Test recovery processes to verify that backups are not susceptible to ransomware attacks (i.e., by ensuring that backup systems are isolated from your main network).

Threat Intelligence Integration:

  • Enhanced Threat Intelligence Sharing: We recommend increasing the frequency of updates from our team to your SOC. This will ensure that the latest IOCs, tactics, and techniques related to emerging ransomware like “Windows Locker” are promptly incorporated into your defenses.
  • Incorporate Threat Intelligence into Incident Response: Integrate threat intelligence into your incident response (IR) plan, ensuring that all relevant IOCs and Tactics, Techniques, and Procedures (TTPs) from this report are added to your SOC’s detection rules and automated responses.

Tactical Recommendations:

Detection and Monitoring:

  • Registry Key Monitoring: Continuously monitor and alert on any changes to critical registry keys, particularly those under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, which are commonly targeted by persistence mechanisms in ransomware attacks.
  • File Extension Watchlist: Implement detection mechanisms to flag the creation of files with unusual or new extensions such as .winlocker. This could involve using file integrity monitoring (FIM) tools or implementing heuristic file scanning within your endpoint security suite.
  • Command-Line Monitoring: Regularly monitor command-line activity on systems for any unusual behavior such as the execution of system commands that disable security tools (e.g., vssadmin delete shadows or netsh advfirewall) or the creation of hidden files.

Ransomware-Specific Detection:

  • Behavioral Analysis and Heuristic Detection: Utilize advanced malware sandboxes or behavioral analysis tools that can detect the patterns associated with the “Windows Locker” ransomware, such as file renaming (e.g., adding the .winlocker extension), encryption activity, and changes to system defenses (e.g., disabling Windows Defender).

User Awareness and Phishing Training:

  • Security Awareness Training: Given that many ransomware infections are the result of phishing campaigns or social engineering attacks, it’s critical to conduct regular user training on recognizing malicious attachments and links, especially those that may initiate ransomware downloads.
  • Phishing Simulations: Run periodic phishing simulations to test employees’ ability to recognize and report suspicious emails. This will help reduce the risk of initial compromise through phishing.

Operational Recommendations:

Incident Response and Containment:

  • Isolate Infected Systems Immediately: In the event of an infection, swiftly isolate affected systems from the network to prevent further spread of the ransomware. This can be achieved by disabling network interfaces or blocking traffic to critical systems.
  • Recover From Clean Backups: Once the infected systems are contained, use trusted, offline backups to restore the encrypted files and data. Ensure that these backups have been verified for integrity and security before restoring.
  • Forensic Investigation: Conduct a thorough forensic investigation to identify how the ransomware entered the system and to determine any other systems that may have been compromised. Pay close attention to network traffic, log files, and any command execution traces that can indicate the attack’s origin.

Post-Incident Recovery:

  • Reinforce Endpoint Protection: After an attack, ensure that all systems are fully patched, and endpoint protection is up-to-date. Reassess your security posture and implement lessons learned from the incident to enhance future defense mechanisms.
  • Enhance Endpoint Detection and Response (EDR): Given that “Windows Locker” relies on modifying registry keys, executing system commands, and encrypting files, ensure that your EDR solutions have behavioral analysis capabilities to detect such activities in real-time and trigger alerts.

Collaboration with Law Enforcement:

  • Report the Incident: If your organization falls victim to the ransomware, consider reporting the incident to local law enforcement or appropriate cybercrime units, especially if the attack appears to be part of a larger, organized cybercrime group.

List of IOCs

No Indicators Remarks
1. 1f32f454ba32de5e0b7ed429b3542cdb0a9f826f5f5146f206baf074ec1abfe0 Block
2. hXXps://y2kid[.]xyz/mainpage/internets.jpg Monitor