New FilesLocker Ransomware Offered as a Ransomware as a Service

A new ransomware called FilesLocker is being distributed as a Ransomware as a Service, or RaaS, that targets Chinese and English speaking victims.

This ransomware was first spotted by MalwareHunterTeam who posted about it on Twitter. At the time, it looked like your standard small little C# ransomware with little or no distribution. It turns out, though, that this ransomware is being offered as a RaaS where affiliates can sign up and earn commissions.

Thanks to a link shared with BleepingComputer by security researcher Neutral8✗9eR, we can see that FilesLocker is being marketed through a Chinese hacking and malware forum located on TOR.

This program is offering those who sign up as an affiliate a 60% revenue share of all ransom payments. If the affiliate can drive enough traffic, this commission can go as high as 75%.

The RaaS claims to have numerous features you would expect such as tracking, customization, strong encryption, and the clearing of shadow volume copies.  The full marketed features are translated below:

All that the developer asks is that an affiliate have experience distributing malware, infects 10 people per day, and does not upload the ransomware to a mass antivirus scanning service (oops).

The developer also posted some screenshots showing some fancy logging being done where infected IP addresses and country statistics are being tracked.

While looking at the source code for the ransomware we can see that while the ransomware is fully functional, there is nothing advanced about it.

It includes an embedded public encryption key that is used to encrypt the key generated to encrypt a victim's files. As the the private encryption key, is only known to the ransomware developer there is no way to get files back for free.

When encrypting a victim's files, it targets specific folders such as the Desktop, Documents, Music, Pictures, etc and appends the .locked extension to encrypted files.

When done encrypting, it will open the ransomware screen shown below that provides a bitcoin address to use for payment, a unique victim ID, and an email address for the user to contact. In this example, the email address is bakfiles@protonmail.com. The embedded bitcoin address of 3EZGS8P439PbBeiWjsGYjSSaRHn9CXKDRQ appears to be static and used for all victims who are infected by the same sample.

The program will also automatically open an image through an IPLogger.com shortened URL. This is how the RaaS gathers statistics on the amount of victims that have been infected with FilesLocker. It will also create text ransom notes under the names #解密我的文件#.txt and #DECRYPT MY FILES#.txt in various folders throughout the computer.

The image displayed by the IPLogger url is displayed below and acts as a ransom note with instructions to open the text ransom notes on the computer.

As you can see, this is not a very sophisticated RaaS compared to what we have seen with other families, but it is effective. If the program recruits enough affiliates who know how to spread malware, it could be as devastating to a victim as any other ransomware out there.