PINDROP BLOG

Inside the AlphaLocker Ransomware

The ransomware ecosystem has developed largely underground, and insights into the way that the malware is developed and controlled are rare. But researchers at Cylance recently got an inside look at the way that AlphaLocker ransomware goes about its business and found that the operation is surprisingly simple and yet still quite effective.

AlphaLocker is a relatively new piece of ransomware, having appeared just a couple of months ago, and it comes in at the low end of the price chart at $65. Many ransomware packages cost several times that amount, and AlphaLocker is also different in that buyers purchase it straight from the creator. But just because the ransomware is cheap doesn’t mean it’s low-end in terms of features and capabilities. Buyers get an administrative panel, as well as the executable of the ransomware and the decryption binary.

Attackers using AlphaLocker have the option of deploying it however they choose and the infection mechanisms are up to them, as well. AlphaLocker is based on an open-source project called Eda2, which was developed by a researcher last year. The source code for the project eventually was taken offline, but it has been reused in part by AlphaLocker. The Cylance researchers who analyzed AlphaLocker found some of the command-and-control nodes used by the ransomware.

“Sometimes we luck out and get to take careful advantage of silly oversights on the part of the ‘bad guys’. In this case, we were able to find more than one active C2, where the initial config files were still present – in this case, install.php,” Jim Walter of Cylance wrote in an analysis of the ransomware.

“All of AlphaLocker’s configuration and support files are unencrypted and in English, while the author(s) appear to be Russian (based on data contained in some of the panel files, as well as the particular forums in which the ransomware is advertised).”

The encryption routine for AlphaLocker is fairly typical, with files being encrypted with unique AES keys. AlphaLocker has the ability to encrypt files even while an infected machine is turned off, and each buyer of the ransomware can decide which file types he wants to encrypt. Buyers have access to an admin panel that provides statistics on infected machines, including the country the machine is in, time of infection, and other information.

“Files are individually encrypted with their own unique key (AES). AES keys are RSA-encrypted via a keypair stored in the local MySQL DB and posted to the C2,” Walter said.

The AlphaLocker ransomware is not well detected by antimalware products right now, Walter said.