The security research group Malware Must Die (MMD) has reported on a new ransomware trojan called PrisonLocker (also called PowerLocker). MMD has been monitoring its evolution since spotting a message on the underground forums in November.
"For a while now," announced _gyx, 20 November 2013, "I have been working on a Window locker as my first C project, and I would like to alert you about my product that I will be selling. Keep in mind that this thread is simply collecting a good sense of interest in a non-expensive, native language, functional Window locking malware. I have now completed the entire project, except for the GUI which will be displayed on the window. Once I have this I will move on to selling this product." gyx goes on to give a projected price of $100, and asked for help on developing the GUI.
On 7 December he announced that he had "hired someone to do this, they are working right now", and that he had added file encryption to the functions. That encryption uses AES to encrypt all files, other than EXEs and system files, on hard drives and shared files. Each file has its own AES key, and each AES key is encrypted with 2048-bit RSA, "making the encryption practically uncrackable." He goes on to add, "It has been shown that cryptolockers are very successful because without paying, the user has no chance of recovering files (so paying is in their best interest)."
On 19 December gyx introduced his new partner via Pastebin, "Porphyry (admin of maldev.net). He is coding the panel and helping with the GUI, and is helping with sales. He is my partner, but I am the coder of the main locker and encryption modules." The name now seems to have changed to 'PowerLocker'. Expect release very soon, adds gyx.
But while gyx has been developing the malware, Malware Must Die has been tracking gyx. It believes that gyx is also the author of the Wenhsl Security Blog: "'our suspect' was pretending (or) to be a researcher." MMD has now passed its findings to law enforcement since, if released, PrisonLocker has the potential to be a real "headache for researchers, industry and LEAs."
One of the interesting features of the malware is its very low cost at just $100. Dell SecureWorks estimated that CryptoLocker's haul would have been just shy of $1 million in only 100 days. To match this, gyx will need to make 10,000 sales of PrisonLocker over every similar period – which hardly seems likely. Why, then, does he not go it alone and keep all the revenue for himself?
ESET senior research fellow David Harley is a little puzzled by this. "I can see there might be some perceived advantage in being one step removed from the actual crime against a real victim – supplying the weapon instead of being the mugger – but $100 is very low," he told Infosecurity. "On the other hand, I suppose if the guy is trying to build a ‘reputation’ he’s going to aim low at this point."
Luis Corrons, technical director at PandaLabs, also thinks the author may have an eye to the future. "Yes, $100 sounds really cheap, I would say a normal 'market' price would be more like $1000 at least. However it does not mention anything about updates – which means that each $100 gives you only one shot; and after a few hours/days all security software will be detecting it and cybercriminals will need a new binary... which means they have to pay another $100."
But whatever the price motivation, if PrisonLocker is genuine and not some extended and convoluted research project, it is a very nasty piece of malware. The best solution won't be detection after release, but prevention, by LEAs, before release. And that is why Malware Must Die has handed its dossier to law enforcement with the exhortation, "please don't let this malware [be] spotted in the wild" because based on current evidence "serious damage will be occurred for sure."