ZeroLocker's operators put a positive spin on the same coercive technique, promising an "early bird" price of $300 for a "license" to the decryption key within five days of infection. After that, the price rises to $600, before peaking at $1,000 after 10 days of non-payment.
According to Kaspersky Lab researcher Roel Schouwenberg, ZeroLocker stands out from other similar attacks as it indiscriminately encrypts files.
"ZeroLocker adds a .encrypt extension to all files it encrypts. Unlike most other ransomware ZeroLocker encrypts virtually all files on the system, rather than using a set of pre-defined filetypes to encrypt. It doesn't encrypt files larger than 20MB in size, or files located in directories containing the words "Windows", "WINDOWS", "Program Files", "ZeroLocker" or "Desktop". The malware gets executed at boot from C:\ZeroLocker\ZeroRescue.exe," Schouwenberg noted.
Victims of course need to decide for themselves whether to pay the ransom, and while most security experts and law enforcement advise against payment, some victims inevitably do pay to resolve the issue — even police departments.
But in this case, according to Schouwenberg, even though ZeroLocker victims probably won't be able to crack the secret key, they should not pay the fee either, due to a botched implementation of the botnet used to control infections.
"The malware generates one random 160-bit AES key to encrypt all the files with. Due to the way the key is generated the key space is somewhat limited, though still large enough to make general brute forcing unfeasible.
"After encryption the malware runs the cipher.exe utility to remove all unused data from the drive, making file recovery much harder. The encryption key, together with a CRC32 of the computer's MAC address, and the associated Bitcoin wallet is sent to the server.
"Interestingly enough, the encryption key along with the other information is sent through a GET request, rather than a POST. This results in a 404 on the server. This could mean that the server is not storing this information. That means victims who pay up may likely not see their files restored."
Schouwenberg speculated these bugs may be why it hasn't detected too many infections yet, and why its inspection of Bitcoin wallet addresses associated with the botnet aren't showing any transactions.