FilesLocker, recently detected by MalwareHunterTeam, is currently marketed on the dark web as a ransomware-as-a-service (RaaS), which allows users to register an account and create ransomware campaigns. Those who sign up as an affiliate can earn between a 60 and 75 percent commission, depending on the amount of traffic generated by their campaigns. FilesLocker has been observed targeting victims that speak Chinese and English, and is advertised as possessing numerous capabilities including the ability to delete volume shadow copies and encryption via RSA 2048+AES. This ransomware variant appends .locked to the names of encrypted files and targets specific folders such as Documents, Desktop, Music, and Pictures. Ransom notes titled #解密我的文件#.txt and #DECRYPT MY FILES#.txt are created in numerous locations and contain a bitcoin address for payment, unique victim ID, and an email address to contact the attackers. Additionally, infections are tracked through an automatically opened image on the infected machine via the shortened URL IPLogger[.]com.

  • Bleeping Computer provides additional information about FilesLocker here.

  • UPDATE 1/2/2019: Michael Gillespie created a decryptor for versions 1 and 2 of the FilesLocker variant that appends files with [.]fileslocker@pm[.]me.

Image Source: Bleeping Computer