Researchers at Acronis, a private company that makes backup software and data protection solutions, have discovered a new variant of the DeriaLock ransomware for Windows that has one new trait: it demands that payment be made by Skype.
In a blog post, they said there were three functional parts to DeriaLock: a screenlocker, cryptolocker and a file eraser.
The screenlocker, when activated in certain variants, will lock the screen of a Windows computer and not allow a user access to files. However, the files themselves remain intact.
In variants where the cryptolocker is activated, the user's files are encrypted with a .deria file extension. The file eraser deletes files as some kind of punishment when the user reboots the computer.
{loadposition sam08}DeriaLock is a .NET application and is written in Visual Basic. It requires administrative privileges and the .NET framework 4.5 to work.
The researchers said the cryptolocker had a hardcoded password that was used to calculate AES 256-bit encryption key and a 16-bit initialisation vector. Thus it was possible to decrypt files without yielding to the demands for a ransom.
"To create the encryption key and initialisation vector, DeriaLock converts the password string (“b3f6c3r6vctb9c3n789um83zn8c3tb7c3brc3b5c77327tbrv6b123rv6c3rb6c7tc3n7tb6tb6c3t6b35nt-723472357t1423tb231br6c3v4”) into a byte array using the ASCII code for characters in the string and calculates the SHA512 hash. The first 32 bytes of the hash are the encryption key, the next 16 bytes — the initialization vector," they wrote.
The ransom demanded was US$30, payable to Skype user ARIZONACODE. The file eraser component is downloaded only after encryption was done. Rebooting would activate the eraser and files would be lost.
But the Acronis researchers wrote that the malware was quite amateurish and outlined steps that could be taken to erase it from a system.
Graphic: courtesy Acronis.