The Proofpoint researcher, Darien Huss, has recently discovered a new strain of ransomware which encrypts users` data and then extort them a 1 bitcoin ransom within 5 days.
Dubbed Alma Locker, this malware is one of the few recently appeared threats which has a secure encryption algorithm and a fully working TOR command and control server. Luckily for users and security experts, the majority of newcomer ransomware pieces have already been cracked due to flaws in them or have had suspended C&C servers. Alma Locker also has some bugs in its implementation but for now it is actually working. However, at this point, researchers haven`t found any vulnerabilities in Alma which can be used for the creation of a free decryptor, but they will continue searching.
The RIG exploit kit is currently known to be spreading the Alma Locker ransomware. Once launched on the victim`s computer, Alma will create a ransom extension of 5 characters and append it to the encrypted files. It will also generate a unique 8 characters victim ID obtained from the MAC address of the first network interface and the serial number of the C:\ drive.
Alma encrypts files with particular extensions from the victim`s drive letters using AES-128 encryption. Once the files are encrypted it will add to them the previously created random 5 character extension. For instance, if the file is named “test.jpg” and the extension generated is “.a5zfn”, when the file is encrypted it will be named “test.jpg.a5zfn”.
Alma Locker targets files with the following extensions:
.1cd, .3ds, .3gp, .accdb, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer, .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib, .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank, .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .mdb, .mdf, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .qbb, .qbw, .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd, .xls, .xlsm, .xlsx, .xml
However, during the encryption process, Alma Locker skips the files located in folders containing the following strings:
$recycle.bin, system volume information, program files, programdata, program files (x86), windows, internet explorer, Microsoft, Mozilla, chrome, appdata, local settings, recycler, msocache, Unlock_files_
While encryption files, Alma ransomware sends its C&C server base64 encoded information, such as AES-128 private decryption key, user`s name, name of active network interface, encrypted file extension, operating system version, victim ID, the system Locale ID (LCID), security software registered with Windows, and the time stamp of when the program was started.
When the encryption process is over, a ransom note is displayed on the victim`s desktop. It reads: “Your files are encrypted!” and then there are instructions on what the victim should do to get them back. Also, there is a link to a TOR-based payment website in the note and another link for a decryptor download. When this decryptor is executed, it establishes a connection with the C&C server and gets information about the current ransom sum, whether payment has been done and how much time the victim has left before the five days are up. For now, it is not clear what would happen if the countdown finishes, would the ransom demanded jump and, if so, with how much.
The Alma Locker Payment Site also contains links to TOR where, supposedly, the victims can test the decryption tool to see whether or not it actually works. Unfortunately, it appears that this free decryption is currently not working since all it does is lead to an internal server error.