New LockXX Ransomware Targets Users Who Speak Standard Chinese, English

Overview

This week, the SonicWall Capture Labs threat research team analyzed a ransomware targeting users who speak English and Standard Chinese. Its behavior is typical of ransomware – it encrypts the user’s files and provides instructions on how to recover data while providing instructions in both English and Standard Chinese.

Infection Cycle

The malware arrives as a portable executable that, once executed, immediately spawns the command prompt to disable User Account Control (UAC). This Windows security feature helps thwart malware by alerting the user to any changes on the system that need administrative access. A Windows prompt will appear that alerts the user that a system reboot is needed to turn off UAC.

Figure 1: Prompt to alert the user that enabling/disabling UAC requires a reboot

However, this prompt quickly disappears and can easily go unnoticed. This malware ensures that the victim’s machine gets rebooted by using schtasks to add a scheduled task to reboot the system.

Figure 2: Scheduled task to shutdown the system

Another scheduled task to clear event logs is added that will run every five minutes.

Figure 3: Scheduled Task to clear event logs every five minutes

Files are then simultaneously encrypted, and the malware adds the lockxx extension to all encrypted files.

Figure 4: Encrypted files with .lockxx file extensions

A .hta file is added to every directory with an encrypted file that displays the instructions on how to recover data with a toggle between English and Standard Chinese.

Figure 5: Executing the file “lockxx.recover_data.hta” will open this window with instructions in English

Figure 6: A toggle for the Standard Chinese language is available within the instructions window

A log file is saved and named “info.log”. The file appears to be the event sequence of what the malware has executed on the machine.

Figure 7: Info.log containing malware execution event log

The most apparent indication of infection is the desktop wallpaper being changed to warn the user that their files have been encrypted.

Figure 8: Desktop wallpaper changed to show a warning that files have been encrypted

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Lockxx.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.