Elmers Glue Locker demands $35k but fails to encrypt! (May 26th, 2017)

Another day, another ransomware! This time, the Sonicwall Threats Research team have discovered a very ambitious new ransomware threat called Elmer’s Glue Locker which appears to be in early development. So early that it fails to encrypt any files at all!

Infection Cycle:

The Trojan uses the following icon and metadata:

The Trojan performs no network communication.

The Trojan adds the following files to the filesystem:

• %APPDATA%LocalPackagesMicrosoft.BingFoodAndDrink_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
• %APPDATA%LocalPackagesMicrosoft.BingHealthAndFitness_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
• %APPDATA%LocalPackagesMicrosoft.MoCamera_cw5n1h2txyewyRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt
• %APPDATA%LocalPackagesMicrosoft.WindowsReadingList_8wekyb3d8bbweRoamingStateHOW_CAN_I_DECRYPT_MY_FILES.txt

HOW_CAN_I_DECRYPT_MY_FILES.txt contains the following text:

Your IMPORTANT FILES WERE ENCRYPTED on this computer: documents, databases, photos, videos, etc.
Encryption was prodused using unique public key for this computer.
To decrypt files, you need to obtain private key and special tool.
To retrieve the private key and tool find your pc key file with '.key.~xdata~' extension.
Depending on your operation system version and personal settings, you can find it in:
'C:/',
'C:/ProgramData',
'C:/Documents and Settings/All Users/Application Data',
'Your Desktop'
folders (eg. 'C:/PC-TTT54M#45CD.key.~xdata~').
Then send it to one of following email addresses:
begins@colocasia.org
bilbo@colocasia.org
frodo@colocasia.org
trevor@thwonderfulday.com
bob@thwonderfulday.com
bil@thwonderfulday.com
Your ID: {REMOVED}#4FDBF87A34166C70955ED0ECBC1DDFCD
Do not worry if you did not find key file, anyway contact for support.

It displays the following information on the desktop background:

It demands that the user sends a hefty sum of 16 Bitcoins to 14Vbyx3SCUvLKj3FWWefEVWAs4jJ9R2qqi (over $35,000 USD at the time of writing) for file recovery.

The message directs the user to open a link to a server that is hosted on the tOr network:

http://torbox3uiot6wchz.onion

This leads to the following site:

As expected (from ransomware that doesn’t work) there has been no transaction activity at the supplied Bitcoin address:

Although there was no file encryption activity when we analysed this sample, the threat is still significant. We expect the creators to add this capability in the very near future.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: ElmerLocker.RSM (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.