The SLocker malware family is one of the oldest lock-screen and file-encrypting bugs, known for impersonating law enforcement agencies to convince victims to pay a ransom. Now, a new variant is taking a page from the infamous WannaCry ransomware.
According to Trend Micro, the variant adopts the WannaCry GUI, and is notable for being an Android file-encrypting ransomware. That makes it the first mobile ransomware to capitalize on the success of the previous WannaCry outbreak.
The original sample captured by Trend Micro was named King of Glory Auxiliary, which was disguised as a cheating tool for the game King of Glory. When installed, it has a similar appearance to WannaCry.
“This ransomware disguises itself as game guides, video players and so on in order to lure users into installing it,” said Trend Micro researcher Ford Qin, in an analysis. “When installed for the first time, its icon looks like a normal game guide or cheating tool. Once the ransomware runs, the app will change the icon and name, along with the wallpaper of the infected device.”
The ransomware avoids encrypting system files, and instead focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos). The ransomware presents victims with three options to pay the ransom, but all of these lead to same QR code that asks the victims to pay via QQ, a popular Chinese mobile payment service). If victims refuse to pay after three days, then the ransom price will be raised. It threatens to delete all files after a week.
While this SLocker variant is notable, decrypt tools were quickly published as it was also relatively easy to reverse-engineer. Its author was also apprehended in China. Even so, more variants of the same stripe have been found in the time since.
“The proliferation of new variants so quickly after the first one shows that these malicious actors are not slowing down,” Qin said. “Even though a suspect was caught, more advanced ransomware may be just around the corner.”