ZeroLocker - a new destructive encrypting ransomware,with no chances of recovering your files

August 20, 2014

So many malware developers are trying to jump onto the get-rich-quick encrypting ransomware train that mistakes are starting to become common. This is readily apparent with the latest ransomware called ZeroLocker that encrypts your files with AES encryption. Like many other encrypting ransomware, ZeroLocker will encrypt your files and then display a ransom note that explains how you can pay using bitcoins to decrypt your files. Unlike other encrypting malware, this infection pretends to be a helper tool that had discovered the encrypted files and is trying to help you. In reality, though, this could be one of the more destructive ransomware we have seen to date.

Unlike all other file-encrypting ransomware, when ZeroLocker starts it does not only target data files. Instead this infection will encrypt all files on your C:\ drive, including executables, with AES encryption unless they are located in certain folders or are larger than 20 MegaBytes. The folders that are safe from encryption are ones that contain the keywords: Windows, WINDOWS, Program Files, ZeroLocker, and Desktop. Any files that are encrypted, will have .encrypted appended to their filename. When it has finished encrypting your files, it will then run the C:\Windows\System32\cipher.exe /w:C:\ command, which will overwrite all deleted data on your C:\ drive. This makes it so you are unable to use file recovery tools to restore your files. It will create the C:\ZeroLocker folder and store various files and the decryptor executable called ZeroRescue.exe. This file will be set to start automatically via Registry entry when you login to your computer.

The main issue, though, is when ZeroLocker uploads your decryption key to the Command & Control server. If the C2 server was properly configured, when the private key was uploaded it would respond with a HTTP 200 status code that means that a web page was successfully accessed. Unfortunately when ZeroLocker attempts to upload its private key it receives a 404 status code because the requested web page does not exist on the server.

Therefore, the decryption key was not stored in any database or file for later recovery. In fact the only way to recover the key would be to manually filter though the HTTP access logs if they have not been overwritten or rotated already. This is obviously a coding mistake on the part of the developer and one that essentially trashes the encrypted computer as you are unable to retrieve your decryption key even if you pay the ransom. With the lack of a recoverable encryption key and the fact that it encrypts all files and not just data files, this ransomware becomes very destructive especially to companies that have custom software not being used under normal paths.

There is, though, some light at the end of the tunnel. This infection does not delete the Windows System Restore points so you can restore your files using a program like Shadow Explorer or Windows built-in Previous Version. For information on how to restore your files via these methods, please read this section from our CryptoLocker guide: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow

A big thanks to decrypterfixer for reversing this malware!

Source: http://www.bleepingcomputer.com/forums/t/544555/zerolocker-a-new-destructive-encrypting-ransomware/