OzozaLocker targets Windows OS and is distributed via spam emails containing a malicious executable named CryptoSolution.exe. Once executed, OzozaLocker modifies the Windows Registry in order to encrypt files on startup. It encrypts files using AES and appends .locked to the encrypted file names. It then drops a ransom note named HOW TO DECRYPT YOU FILES.txt on the infected system. The ransom demand payment is 1 Bitcoin and asks victims to contact santa_helper@protonmail.com to pay.

  • Sensors Tech Forum provides more information about OzozaLocker here.
  • Emsisoft provides a free decryption tool for OzozaLocker here.

One example of the OzozaLocker variant. Image Source: Sensors Tech Forum