SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Elmers Glue Locker demands $35k but fails to encrypt! (May 26th, 2017)



Description


Another day, another ransomware! This time, the Sonicwall Threats Research team have discovered a very ambitious new ransomware threat called Elmer's Glue Locker which appears to be in early development. So early that it fails to encrypt any files at all!

Infection Cycle:

The Trojan uses the following icon and metadata:

The Trojan performs no network communication.

The Trojan adds the following files to the filesystem:

  • %APPDATA%\Local\Packages\Microsoft.BingFoodAndDrink_8wekyb3d8bbwe\RoamingState\HOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%\Local\Packages\Microsoft.BingHealthAndFitness_8wekyb3d8bbwe\RoamingState\HOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%\Local\Packages\Microsoft.MoCamera_cw5n1h2txyewy\RoamingState\HOW_CAN_I_DECRYPT_MY_FILES.txt
  • %APPDATA%\Local\Packages\Microsoft.WindowsReadingList_8wekyb3d8bbwe\RoamingState\HOW_CAN_I_DECRYPT_MY_FILES.txt

HOW_CAN_I_DECRYPT_MY_FILES.txt contains the following text:

      Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.

      Encryption was prodused using unique public key for this computer.
      To decrypt files, you need to obtain private key and special tool.

      To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension.
      Depending on your operation system version and personal settings, you can find it in:
      'C:/',
      'C:/ProgramData',
      'C:/Documents and Settings/All Users/Application Data',
      'Your Desktop'
      folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~').

      Then send it to one of following email addresses:

      begins@colocasia.org
      bilbo@colocasia.org
      frodo@colocasia.org
      trevor@thwonderfulday.com
      bob@thwonderfulday.com
      bil@thwonderfulday.com

      Your ID: {REMOVED}#4FDBF87A34166C70955ED0ECBC1DDFCD

      Do not worry if you did not find key file, anyway contact for support.

It displays the following information on the desktop background:

It demands that the user sends a hefty sum of 16 Bitcoins to 14Vbyx3SCUvLKj3FWWefEVWAs4jJ9R2qqi (over $35,000 USD at the time of writing) for file recovery.

The message directs the user to open a link to a server that is hosted on the tOr network:

      http://torbox3uiot6wchz.onion

This leads to the following site:

As expected (from ransomware that doesn't work) there has been no transaction activity at the supplied Bitcoin address:

Although there was no file encryption activity when we analysed this sample, the threat is still significant. We expect the creators to add this capability in the very near future.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: ElmerLocker.RSM (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.3 | S2MSW06