1. Symantec/
  2. Security Response/
  3. Trojan.Ransomlock


Risk Level 1: Very Low

April 15, 2009
August 6, 2015 3:51:32 PM
Also Known As:
Trojan:W32/Agent.AF [F-Secure]
Infection Length:
Systems Affected:
1. Prevention and Avoidance
1.1 User Behavior and Precautions
1.2 Patch Operating System and Software
2. Infection Method
3. Variants
3.1 Police Ransomware
3.2 Software Warning
3.3 Pornographic Material
4. Functionality
4.1 Lock Screen
4.2 Disabling Input Devices
4.3 Encryption
4.4 Extortion Methods
4.5 Mistakes
4.6 Payment
4.7 Network Activity
5. Additional Information
5.1 Evolving Business
5.2 Crimeware Kits
5.3 Resources

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Only visit and download software from trusted websites.

Regularly back up the data stored on you computer. If you become infected with a version of Ransomware, you will still have access to your personal files.

Do not click on any links or banners if you are not completely sure that they are from a trusted source. This threat is often spread by malicious links in emails, as well as advertisement banners on websites. What can look like a harmless advertisement or link can actually lead to a website where malicious software is downloaded. Hovering over a link with the mouse pointer will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton to see if the site is deemed safe to visit.

Never install programs on your computer if you do not know where they come from. Be suspicious of websites that ask you to install or update software, drivers or codecs. While the website's request might be legitimate, there is no harm in doing a quick Internet search to find out if your software is really out of date. It is common, and easy, for malware authors to fake images and logos from well-known companies.

Do not pay any money. Even if the ransom is paid, there are no guarantees the criminals behind the malware will unlock the compromised computer.

If you are a victim of Ransomware, report it immediately to your local police and the payment processor involved. Law enforcement agencies throughout the EU and around the world work together to disrupt the activities of identity fraudsters and bring scammers to justice. The more information you give to the authorities, the more effectively they can target the most dangerous criminal organizations.

1.2 Patch operating system and software
Ransomware is often installed through drive-by-downloads to websites hosting exploit kits. To avoid this, users are advised to ensure that their operation systems and any installed software are fully patched, antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.

This threat is distributed through several means. Malicious websites, or legitimate websites that have been compromised, may drop the threat onto a compromised computer. This drive-by-download often happens surreptitiously and is commonly associated with pornographic sites. Another method used to propagate this type of malware is spam email containing infected attachments or links to malicious websites. The threat may also be downloaded manually by tricking the user into thinking they are installing a useful piece of software. Ransomware is also prevalent on peer-to-peer file sharing websites and is often packaged with pirated or illegally acquired software.

There are several common techniques utilized by criminals to force users into paying a ransom to have their computer unlocked. We will look at these different social engineering methods in more detail.

3.1 Police Ransomware
There are several forms of this threat, each using different techniques in order to succeed in claiming the demanded fee. One of the most common techniques used involves the computer displaying a screen masquerading as an official notice from the police or a government agency. This technique, known as Police Ransomware, states that illicit material has been discovered on the compromised computer and a fine must be paid in order to have it unlocked.

3.2 Software warning
Another technique used by Ransomware displays a notice claiming to be a warning from a legitimate software company. The message warns that the user's license is not valid and that in order to unlock the computer a new license must be paid for. The criminals behind these threats keep them updated with the current trends. The German lock screen for Trojan.Ransomlock.V fraudulently claims to be a Microsoft warning stating that the Windows license on the compromised computer has expired and that a new one can be purchased for €50, or if preferred, an upgrade to Windows 8 for €100.

3.3 Pornographic material
Yet another one of the methods used to coerce users into paying the ransom tries to scare or embarrass the user by stating that pornographic material or illegal/unlicensed software is present on the computer and that if a fee is not paid the material will be reported to the authorities. The difference between this method and Police Ransomware is that pornographic images may also be displayed on screen, as with Trojan.Randsom.A, in the hope that the user will be too embarrassed to seek help from a computer specialist or report to the authorities and will pay the ransom.


4.1 Lock screen
The Ransomlock family of threats attempt to restrict access to a compromised computer. A lock screen is then displayed demanding a monetary fee, or ransom, in order to have access restored. The lock screen or message can be displayed in several ways. One method is for the Trojan to download a country specific image, relevant to the location of the computer. The screen is tailored to the user's geographical location. Using the compromised computer's IP address, the threat retrieves a localized image to be displayed. A lock screen with the country specific police force logo is displayed as well as a message in the appropriate language.

Another method is for the threat to change the desktop image, and another is for the Trojan to display a persistent inline advertisement on every Web page the user visits.

4.2 Disabling input devices
Some variants, such as Trojan.Ransomlock.D and Trojan.Ransomlock.F, lock the compromised computer and then disables the keyboard and mouse. The keyboard's number pad remains functioning in order for the unlock code to be entered.

4.3 Encryption
The Ransomlock family of threats belong to the wider category of Ransomware. This type of malware ranges in severity from malicious programs that lie about taking the user's files hostage, in the hope that they will pay a small fee, to programs that encrypt the user's files using military grade encryption and ask for thousands of dollars in order to decrypt them. Earlier examples of Ransomware used symmetric encryption, storing the encryption key within the malware code itself. Modern encrypting Ransomware has become more advanced in its methods and uses asymmetric 1024 bit encryption, which is virtually impossible to break.

4.4 Social engineering methods
The message used by Ransomware may state that the computer has been used to access websites that contain illicit content, such as pornography, and a fine must be paid to have the computer unlocked. In some instances, a time limit is given for the user to pay the ransom. If the payment is not made within that time the message may state that the user will be arrested or that legal proceedings will be initiated, or that the evidence will be passed on to the authorities.

The message will typically include the following elements:
  • Citation of various laws
  • A statement of what the user is accused of having done
  • What has happened to the user's computer
  • The amount of the fine/ransom
  • A time limit for payment and the consequences if this is not met
  • Details on how to pay

These elements combine to present a strong call to action to the user.

Display of embarrassing content
Another method used to coerce the user into paying the ransom is to display pornographic images on the compromised computer's screen. This is in the hope that the user will be too embarrassed to approach anyone for help and will pay the ransom in order to unlock the computer and have the graphic images removed.

Audio output

Other variations, such as Trojan.Ransomlock.Y, download an MP3 file that is played continuously, audibly warning the user that their computer has been locked.

Image capture

Ransomware threats, like Trojan.Ransomlock.G for example, sometimes use the webcam of the compromised computer to take still images of the user. These images are displayed alongside the ransom message and are used as another means of coercion by threatening their use as evidence in the impeding, and fictional, court case against the user if they decide not to pay the fee.

4.5 Implementation errors

A close look at the details of the lock screens can sometimes reveal inconsistencies such as the Irish lock screen for Trojan.Ransomlock.Q, which displays a message in Irish Gaelic, historically the national language but now only spoken by a very small percentage of the population.

4.6 Payment

Payment is requested by online electronic cash payment systems. These legitimate companies offer a method to pay for online transactions without using a credit card or providing any personal details. A payment voucher is purchased for cash. The voucher has a number printed on it and this number is then given to a vendor (or malware author in this case) for goods or services. Once the number is received it can be exchanged for cash. This is ideal for the criminals behind Ransomware as it is difficult for the transaction to be traced back to them. A less common form of payment is by the user sending a premium rate text messages containing a code given to them. Another code is then apparently returned to the user, enabling the compromised computer to be unlocked.

4.7 Network Activity
The Trojan may attempt to contact the following URL to determine the geographical location of the computer:

The threat may perform the following network activities.

The threat may download other malware in order to steal information from the compromised computer.

The Trojan may also connect to one of the following URLs to retrieve the image used for the lock screen/ransom message:
  • [http://][RANDOM]/pictu[REMOVED]
  • [http://]joonwalker.com/unser1/redirector/redirec[REMOVED]
  • [http://]joonwalker.com/unser1/universalpanel/gate[REMOVED]

The Trojan may attempt to connect to one of the following remote locations in order to download commands from a malicious server:
  • [http://]spatbe-w.com/[REMOVED]
  • [http://]qoa-a.com/[REMOVED]
  • [http://]horad-fo.com/[REMOVED]
  • minkosoft.in
  • mifkrosoft.in
  • explorerie3.in
  • explorerie4.in
  • explorerie5.in}

It may also steal information from the computer and upload it to the following remote locations:
  • [http://]cndroaayghmf.com/de/2/gate.php
  • [http://]xmeplogvybzr.com/gate.php
  • [http://]xjwsmvrpeprt.ru/gate.php
  • [http://]fwhgxivtfrgq.com/gate.php
  • [http://]sxnykimafhbj.com/gate.php


5.1 Evolving business

Fake antivirus (FakeAV) is malware that intentionally misrepresents the security status of a computer and then attempts to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. This type of malware was very profitable for the groups of criminals operating the scams. FakeAV has been circulating for several years and has become less effective due to people becoming aware of it. Law enforcement agencies have cracked down on the FakeAV industry and this has made it difficult for the criminals to continue to make the same kind of profit as before. This is a possible reason for the increase and global spread of Ransomware. The criminals has shifted their business towards this new type of malware scam.

Compared to FakeAV, Ransomware is more direct and with a strong call to action to solicit a response from the user. Whereas a warning about fake viruses infecting a computer can be ignored, a locked computer is more difficult to put to one side.

5.2 Crimeware kits
Ransomware is now a truly international problem. This type of malware is used for large money making businesses. It is relatively easy for criminals to begin using Ransomware by purchasing Crimeware kits. These kits are bundled software packages that are sold on underground online forums and include everything needed to create and administer a specific type of malware. Ransomware crimeware kits are available and contribute to the continued spread of this type of malware. The kits advertise their features and even offer technical support.

5.3 Resources
For more information relating to this threat family, please see the following resources:


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: John-Paul Power
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube