Lighter Ransomware Locks Users Out of System



This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately before the timer ends – or face greater consequences.

Infection Cycle

The malware arrives as a portable executable that, once executed, immediately displays this warning window.

Figure 1: Lighter ransomware window with countdown.

It lets the user know that they have been infected with ransomware and displays instructions on how to get their files back. Interestingly, this ransomware only asks for $100.

However, most common keyboard shortcuts are blocked, which renders the system unusable once this window is displayed.

Figure 2: Functionality showing keyboard shortcuts being blocked

Common file utilities such as taskmanager, cmd, msconfig, regedit and processxp are blocked.

Figure 3. Functionality showing to kill taskmgr  

Files are then simultaneously encrypted using AES encryption, specifically, the RijndaelManaged class, and the malware adds the .L0cked extension to all encrypted files.

Figure 4: AES encryption functionality using the RijndaelManaged class

Figure 5: Encrypted files with the .L0cked file extension

This ransomware targets files with the following file extensions seen in the screenshot below:

Figure 6: File extensions targeted by this ransomware

Unless the user forces a reboot, they will be unable to do most common tasks while the warning window is displayed.

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lighter.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.