OzozaLocker targets Windows OS and is distributed via spam emails containing a malicious executable named CryptoSolution.exe. Once executed, OzozaLocker modifies the Windows Registry in order to encrypt files on startup. It encrypts files using AES and appends .locked to the encrypted file names. It then drops a ransom note named HOW TO DECRYPT YOU FILES.txt on the infected system. The ransom demand payment is 1 Bitcoin and asks victims to contact santa_helper@protonmail.com to pay.

UPDATE 5/2/2017: A new version appends .locked to encrypted file names and drops a ransom note named HOW TO DECRYPT YOU FILES.txt. The hacker behind this campaign uses the contact email z1z2z3z4@protonmail.com.

  • Sensors Tech Forum provides more information about OzozaLocker here.
  • Emsisoft provides a free decryption tool for OzozaLocker here.

Image Source: Bleeping Computer