Beware PowerLocker Ransomware

Chatter on underground forums traces development of Blowfish-based shakedown malware that encrypts infected PCs.

Mathew J. Schwartz, Contributor

January 7, 2014

4 Min Read
PowerLocker's "Ghost Panel."

A new generation of ransomware known as PowerLocker -- aka Prison Locker -- is designed to lock PCs using uncrackable crypto.

That warning was sounded Friday by Malware Must Die, a group of self-styled anti-malware crusaders. "Malware bad actors just keep on coding and developing new threats with the stupid dream to get rich soon in their stupid heads," the group said in a blog post that detailed what they'd learned about PowerLocker's creator and about the malware's purported features and functionality.

In a Dec. 19 post to Pastebin, PowerLocker's developer said that his malware -- which was then due for imminent release -- used the Blowfish symmetric-key block cipher to encrypt all personal data stored on a PC, and then encrypted those ciphers using 2048-bit RSA encryption.

"A unique BlowFish key is generated for each file. That BlowFish key is then encrypted with an RSA key specific to the PC, then the RSA block is stored with the file to be decrypted later," said PowerLocker's developer, who uses the handle "gyx."

[What security trends do you expect to see this year? Read 7 InfoSec Predictions For 2014: Good, Bad & Ugly.]

Advertised PowerLocker features also include a customizable length of time before the bot uninstalls itself, the ability to customize the name and location of the malware file dropped during the infection, and the amount of money demanded by the ransomware before the data will be decrypted. Users -- meaning attackers -- can receive related payments via Bitcoin e-voucher codes as well as Ukash and Paysafe. "The bot has an HTTP panel which will be used to control slaves and receive payment codes entered by slaves," said the developer. "You can either approve or deny -- resetting the removal clock duration, specified by you during purchase -- a payment code, and then unlock/decrypt files on the PC -- identified by its IP."

PowerLocker costs $100, payable in bitcoins, while future upgrades -- or "rebuilds" -- will cost $25. Finally, a "ghost panel" -- referring to an innocuous-looking access panel that can be used to disguise the underlying malicious infrastructure on a server -- will cost $20.

Malware Must Die said that by publicizing the intelligence it's gathered on PowerLocker and its developer, it's not trying to stoke ransomware fear, uncertainty, and doubt. Rather, the group hopes that multiple law enforcement agencies and national computer emergency response teams will launch related investigations and nip PowerLocker sales in the bud. "If released... this will be more [of a] headache for researchers, industry and LEA -- law enforcement agencies," the group warned, "so after [an] internal meeting we decided to disclose it."

Indeed, PowerLocker's play is to offer low-cost ransomware attacks for the cybercrime masses. For comparison purposes -- as noted by Ars Technica -- previous types of ransomware largely appear to have been developed by a particular gang and used only by that gang.

Many previous types of ransomware have also been heavy on scare and social engineering -- aka trickery -- tactics, but they have not necessarily been difficult to defeat using anti-malware software. The Reveton malware, for example, may flash a "Threat of Prosecution Reminder" on the screen of an infected PC saying that their system has been locked after attempts to access child pornography or other illegal content were detected. But if the user agrees to pay a fine, typically in bitcoins or another virtual currency, the malware promises that the whole matter will be dropped. The malware may also be localized so that the warning is labeled as being from a relevant law enforcement agency -- for example, from the FBI for US-based targets.

Who would fall for such a scam? According to warnings issued by government agencies in the United States and abroad, law enforcement agencies have been besieged by complaints about the malware as well as confessions from consumers who have paid up. Last year, even one Massachusetts police department reportedly paid a related ransom to get its encrypted data back.

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights