PrisonLocker + CryptoLocker = PowerLocker
This is a bit worrying:
Guaranteeing security merely means you’re clueless and dangerous. But it’s indicative of the panic around CryptoLocker.
Panic, of course, is a universal life force – it gives living energy to any inanimate object. When you add panic to any story, it gains a life of its own; it grows legs and runs.
Panic has now been added to PrisonLocker (AKA PowerLocker), a new encrypting malware being readied for release by a guy called gyx.
But if you read the original and excellent expose published last week by Malware Must Die, you cannot help but have a few questions. For example, each new announcement says release is imminent, but each new announcement doesn’t seem to bring it any closer.
Nor does the author sound much like the traditional hacker. His command of the written language is pretty good. There are relatively few typos or howling grammatical errors and the syntax is Anglo-Saxon – he’s probably British, or at least not American. He reads like a native English speaker. He spells ‘behaviour’ with a ‘u’ (an American or someone brought up on American-English would not), he writes created by the group “Romanian Antisec”. with the fullstop outside of the quotation marks (an American would put it inside).
So with a few questions of my own, I spoke to Fraser Howard, a security researcher with Sophos. He too was a little puzzled.
“Typically,” he explained, “ransomware falls into one of two camps. The first simply locks the user out; but data and files are not normally modified or encrypted. This is easy to deal with – once the malware is removed, the user is back to normal. It’s more of an annoyance than anything else, scaring the user into paying up.
“The second encrypts the users’ files. The ‘serious’ ransomware families do this, using cryptography correctly to securely encrypt files without leaving the key anywhere accessible. PowerLocker,” he added, “claims to do both lockout and encrypt.”
This is one of the things that puzzles him: why have both? “Seems a bit daft to me – why bother locking them out if you have encrypted their data? The author claims: ‘Even if the user is able to somehow get out of locker screen, files will still be encrypted with practically unbreakable encryption.’
Well, that’s just flawed, illogical thinking.
“It makes me suspicious – it’s indecisive. When I read claims like this, it makes me wonder if the author is actually very capable.” But that’s not all. “Some of the text in the other screenshots [from the Malware Must Die report] make me suspect the author’s skills. Talk about ‘UAC bypass’ and ‘admin privileges’ – well, that’s all very basic stuff used by most malware today.”
My guess is that PrisonLocker was originally intended to be purely locking ransomware. Given the success and publicity surrounding CryptoLocker, gyx decided to add encryption. Not wishing to abandon what he’d already done, he kept the original locking mechanism. But with encryption now perceived as the primary sales incentive, the ‘prison’ epithet was no longer adequate, so he changed the name to ‘power’ locker (crypto locker already being taken).
But there’s one other thing we could consider. gyx is suggesting a purchase price of $100 for his malware. Firstly, he doesn’t seem intent on using it himself. Secondly, that’s remarkably cheap – unless, of course, it’s a ‘loss-leader’ being used to break into a new market.
And that, frankly, is what it seems like to me. A competent and well-educated coder has turned to the dark side, and is using this ‘project’ to get in. He understands software, but he doesn’t necessarily understand malware nor the malware marketplace. He’s selling it rather than planning to use it himself in order to stay one remove from the hacking, infecting and stealing side of malware – he sees himself more as an underworld manager than an underworld foot-soldier.
But saying all that, if PowerLocker is as good (or as bad) as he describes, then it is going to be a dangerous piece of malware. If it’s taken up by some of the better organised criminal groups with access to 0-day exploits, or simply experienced in the use of exploit kits like Magnitude, then PowerLocker could easily become the next PanicLocker.