MM Locker targets Windows OS and it is distributed via malicious email attachments and crack executables for various games. Once a system is infected, MM Locker contacts its C2 server via a POST request, transmitting the victim’s username and computer name and a hardcoded token labeled servkey. It then receives the ransom amount and a JPG to be displayed on the infected system, as well as the decryption tool. Once this exchange is completed, MM Locker signals that the process has been completed by sending a Uniform Resource Identifier (URI) labeled /finished.php. MM Locker encrypts a number of file types, including tax files, and appends .locked to the file names. MM Locker demands a ransom of 0.501049 Bitcoin and threatens to delete the decryption key if payment is not received within 72 hours.
- Sensors Tech Forum provides more information about MM Locker here.
- The NJCCIC is not currently aware of any decryption tool available for MM Locker.