NanoLocker targets Windows OS and spreads through spam email containing a malicious attachment disguised as a PDF file. When the victim clicks on the attachment, the ransomware displays a fake error and then begins encrypting files silently in the background. It uses a run-time generated AES-256 key to encrypt the files. This key is stored locally to a file on the victim’s hard drive before it is encrypted using an RSA public key providing a short window of opportunity for the victim to capture the key file and use a decryption tool without having to pay the ransom. Unique to this variant, NanoLocker communicates with its C2 server using ICMP packets and demands a very low ransom amount – from 0.1 to 0.25 BTC (approximately $43 to $110 USD).
- Malware Clipboard provides more information about NanoLocker, available here.
- Bleeping Computer also provides information about NanoLocker, available here.
- A decryption tool for NanoLocker can be downloaded from Google Drive here; however, this tool will only work if the key is located before the encryption process is complete. The source code and additional information for the tool is located at GitHub here.