A lot of people, located around the world, have been infected with ransomware - a type of malware that encrypts computer files and demands payment to have them unlocked. Some professionally written ransomware has been so financially successful for their authors, such as Locky and Cerber, that many others have begun to emerge to take a piece of the pie.
The researchers of the ART team at Fortinet have recently discovered a new malware. While it still locks the user's computer and demands they follow instructions to have it unlocked, this time it doesn’t require them to pull out their wallets to pay a ransom. Instead, it forces them to take a tedious survey in order to unlock their computers.
So, of course: A survey of this malware is in order.
This malware blocks the victim’s desktop and claims that it has been “LOCKED.” It also asks the user to complete an online survey in order to get the password that unlocks the computer. The picture below shows what the desktop looks like after infection.
Figure 1 Instructions Screen
This malware also does not support 64-bit systems, and it instead displays an error, shown in the figure below, when we try to run it.
Figure 2 No support for 64 bit systems
Before the malware performs its malicious locking behavior, it first checks the following registry key’s ‘Shell’ value and matches to the string ‘explorer.exe’
On WinXP x86, the registry key reads “Explorer.exe” and the malware fails to match the desired string and skips modifying the registries. The lock, however, is fully functional on a Win7 x86 system.
After the user clicks the “Get Password” button, the PC locker malware opens the user’s default browser and attempts to connect to the survey website. However, this website is no longer accessible. We queried the history of the domain and discovered that it has actually not been active for over two years, as shown below. Given that this malware is new, and the website it tries to connect to has been inactive for a long time, we suspect that this may mean that the malware author(s) is only testing this new variant, and it’s not ready to be officially released.
Figure 3 Domain History
Although the survey website is down, after digging through the code we were able to easily retrieve the hard-coded password, as shown in figure 4, below. The malware is written in .NET.
Figure 4 Password to Unlock
By entering the hard-coded password (“london1969paris”) in the box “Enter password here,” and clicking “Unlock,” the instruction window immediately disappears from the screen.
Clicking the “Administrator” button causes an administrator login window to open, as seen below.
Figure 5 Admin Login Window
The administrator’s username (“pchip2012”) and password (“s2m2sug1”) are also hard-coded into the malware, as follows:
Figure 6 Administrator Username and Password
After filling in the username and password fields with the data uncovered in the malware code, the PC Locker 3.1 - Administrator control panel pops up. The figure below shows that it has three features: “Restore registry,” “Log off,” and “Close”.
Figure 7 Administrator Control Panel
This locker demands users to fill out a survey, as opposed to making a traditional BitCoin payment, and presumably, that data could be used to profile the users. It is also currently only fully functionality on select systems. However, we suspect that this new locker family may return in a more dangerous version in the near future, and will likely be able to do some real damage. The ART team will continue to track the development of this family and share information once new discoveries are made.
Fortinet AV Detection Signature: W32/PCsurveyLocker.HK!tr