One example of the Simplelocker variant.

Image Source: The Hacker News

Simplelocker, also known as Andr/Slocker-A, which is Tor-enabled mobile device ransomware, targets Android OS and spreads through a Trojan downloader masquerading as a legitimate application. Once installed, it scans the device for various file types and encrypts them using AES, changing the file extensions to .enc. It also collects information like the IMEI number, device model, and manufacturer and sends it to a C2 server. Newer versions access the device camera and display a picture of the victims to scare them into paying the ransom.

UPDATE 7/5/2017: A new version mimics WannaCry ransomware and displays a similar lock screen.

  • Information on how to remove Simplelocker from an Android device can be found here.