WannaLocker targets China-based Android users and attempts to emulate WannaCry's ransom note. It is distributed through Chinese game forums, masquerading as a plugin for the game King of Glory. Once installed, it hides its own app icon, changes the device's wallpaper image, and then encrypts files over 10 KB in size that are located on the device's storage card using AES encryption. It avoids encrypting files that begin with a "." as well as files that include DCIM, download, miad, android, and com in the SD card file path. WannaLocker demands a ransom of 40 Chinese Renminbi which is approximately equal to 5 or 6 USD and requests payment through QQ, Alipay, or WeChat.

Technical Details and Reporting

  • Avast provides more information about WannaLocker here.

  • The NJCCIC is not currently aware of any free decryption tools available for WannaLocker.

  • UPDATE 7/10/2019: Researchers at Avast discovered a new WannaLocker variant “WannaHydra” which uses the WannaCry's user interface and functions as spyware, a banking Trojan, and has remote administration functions and the ability to encrypt files on the infected device’s external storage. It is currently targeting Android devices of customers of major banks in Brazil.