DeriaLock

DeriaLock targets Windows OS but requires the .NET Framework 4.5 for installation and, therefore, it does not affect systems running Windows XP. Its distribution method is currently unknown. Once a system is infected, it obtains the machine name identifier and creates an MD5 hash to compare against an embedded hash. This feature prevents the developer from accidentally infecting his or her own system. DeriaLock then contacts its C2 server and downloads an updated version of itself which it runs to lock its victims’ screens. It kills a number of processes and disables the Alt + F4 shortcut to maintain persistence. When it was originally discovered by researchers, DeriaLock was merely a screenlocker variant and did not encrypt files. However, an updated version has been spotted that does encrypt files and appends .deria to file names. The attacker behind DeriaLock demands a 30 USD ransom payment and requires victims to contact him or her via Skype for payment instructions.

  • Bleeping Computer provides more information about DeriaLock here.
  • Security researcher Michael Gillespie can decrypt DeriaLock. He can be contacted for assistance through his Twitter account here.
  • NoMoreRansom.org provides a free decryption tool for DeriaLock, available here.

One example of the DeriaLock variant. Image Source: Bleeping Computer