Locker ransomware (or simply locker) is a type of ransomware that blocks access to a device or a particular application (such as a browser), and demands a ransom to restore it. Like other ransomware, lockers can be distributed under the ransomware-as-a-service model.
How lockers work: attack progression
Lockers can be distributed through mailing lists and ad networks (malvertising), as well as under the guise of useful apps (in the case of mobile lockers).
Once on the target device, the locker blocks access to some or all data and files, and displays a ransom note on the screen. Unlike cryptomalware, which tends not to hide the criminal intent behind it, lockers often disguise the ransom as a fine or other mandatory payment. For example, a popular technique among lockers is to scare the victim into thinking the device has been locked by law enforcement agencies in connection with alleged illegal activity, such as storing and distributing child pornography, viewing prohibited content, and the like.
For added psychological impact, the attackers can use other threats that aren’t necessarily real. For instance, they might claim that the user’s files are encrypted and will be deleted if the demand is not paid, or attach to the ransom note an image of the victim from their device’s webcam, as in the case of Reveton.
How lockers work: methods
- Simulate device locking; for example, by opening a browser window in full-screen mode, hiding the cursor or disabling hotkeys. Such lockers do not harm the victim’s device and are generally easy to remove.
- Actually lock the device; for example, by changing the password or PIN, or modifying critical system elements, such as the master boot record. Note that in some cases unlocking the device without losing data is either very difficult or impossible. For example, the LockerPin mobile locker changes the PIN of an infected smartphone to a randomly generated one that neither the user nor the attackers know.
Among the best-known lockers are WinLock, Reveton and LockerPin.