In terms of internet attacks, this has been a year in which ransomware has gained a lot of dishonor. One of them, detected a month ago, is SLocker, which copies the WannaCry graphical interface. It comes from one of the oldest locking families with file encryption, and draws attention by its means to persuade the victims to pay the ransom.
After being gone for a few years, SLocker had a sudden resurgence last May, with a variant that is one of the first ransomware with file encryption targeted for Android, and the first mobile ransomware to take advantage of the wave that came with WannaCry .
Until then, data hijacking abuses exploited vulnerabilities in Windows, in particular Windows 7. Trend Micro provided some details about SLocker.
Although this variant of SLocker was surprised to encrypt files on the phone, the “outbreak” was fairly brief. Shortly after details about it were published, the tools to get rid of the threat were made available. But soon, more variants were found.
Five days after initial detection, a suspect in ransomware was arrested by Chinese police. Fortunately, due to limited transmission channels, the number of victims was very low, reports Trend Micro, which obtained a sample of the malicious software, which came under the name King of Glory Auxiliary.
It was concealed as a cheating tool for the King of Glory game – which by the way became such an addictive game that the developer was pressured to limit the hours of game play. This means that it is a great bait to attract many unsuspecting users who are eager to get the gaming edge.
This ransomware puts itself in applications such as game guides, video players, and so on. When installed for the first time, its icon looks like a normal game guide or a cheating tool. When run, the application changes the icon and name along with the wallpaper of the infected device.
It then finds the device’s external storage directory, and tries to find files that meet some specific requirements, such as those that are larger than 10 KB and less than 50 MB. This technique avoids the encryption of system files, and focuses on things downloaded from the internet, images, texts and videos. Ransomware tells victims that the decryption key will be sent after the ransom has been paid.
After the initial propagation of ransomware, more and more variants appeared. However, according to Trend Micro, it is relatively simple. In fact, it seems to be quite easy for a security engineer to roll back the ransomware and find a way to decrypt the files.
However, the rapid emergence of new variants is troubling, and shows that criminals are not too frightened, even if a suspect has been arrested.
