Maktub Locker

One example of the Maktub Locker variant.

Image Source: Malwarebytes

Maktub Locker targets Windows OS and spreads through a spam campaign that includes a malicious .scr attachment designed to look like a “Terms of Service” (TOS) agreement. Once the victim opens the attached document, a malicious script begins to quietly run and encrypt files in the background. It targets files on local drives, removable drives, and network. It does not need to call out to a C2 server to obtain the encryption key – encryption can take place offline as well as online. Maktub Locker compresses files before it encrypts them and then deletes the originals. Extensions appended to the file names are random but follow an [a-z]{4,6} pattern.

  • Malwarebytes provides more information about Maktub Locker, found here.
  • The NJCCIC is not aware of any decryption tools available for Maktub Locker.