Alma Locker virus recently appeared and joined the currently roaming ransomware threats. This virus seems to possess new features, it employs Tor command and control servers. Moreover, while other viruses of the same kind mainly disperse through malicious spam email attachments, this sample prefers using the exploit kit.
Alma Locker will generate a random 5 character extension that will be appended to encrypted files and a unique 8 character vicitm ID. This victim ID is derived from the serial number of the C:\ drive and the MAC address of the first network interface. Alma Locker will now search the victim’s drive letters for files with certain extensions and encrypt them using AES-128 encryption. When it encrypts a file it will append the previously generated extension to encrypted files. For example, if the extension associated with a victim is .a5zfn, then a file named test.jpg would be encrypted to a file named test.jpg.a5zfn.
While encrypting files, Alma Locker will skip files located in folders containing the following strings:
During the encryption process, Alma Locker will send the following base64 encoded information to the ransomware’s Command & Control server: AES-128 private decryption key, encrypted file extension, user name, name of active network interface, the system Locale ID (LCID), operating system version, victim ID, security software registered with Windows, and the time stamp of when the program was started. When it has finished it will display a ransom note explaining what has happened to the victim’s files:
The ransom note contains links to the TOR payment site and a link to download a decryptor. When this decryptor is run, it will connect to the Command & Control server and retrieve information such as the current ransom amount, whether a payment has been received, and how many hours left in the five day countdown.
Unfortunately, it appears that this free decryption is currently not working.