Prison Locker Ransomware, an upcoming malware threat in 2014

Ransomware is one of the most blatant and obvious criminal's money making schemes out there. Ransomware malware was mostly known by the people when Cryptolocker comes into play. At the time when readers were getting aware of ransomware, Cryptolocker threat had touched the peak and other money motivated cyber criminals have started developing their own Cryptolocker versions. Two hackers with virtual name 'gyx' and 'Porphyry' (admin of maldev.net hacking forum) are advertizing a new ramsomware malware tool-kit called "Prison Locker" on various underground forums with tutorials. They have developed the Prison Locker a.k.a Power Locker ramsomware toolkit in C/C++ programming language, proving a GUI version with customizable features for customers.


The Ransomware is using BlowFish encryption to encrypt all available files on the victim's hard disk and shared drives except .exe, .dll, .sys, other system files. During encryption it will generate unique BlowFish key for each file and then encrypts the keys further with RSA-2048 encryption and will send victim's system information back to the command-and-control center of the attacker.

As the developer mention in a Pastebin post , the Command-and-control center allows an attacker to set the ramsomware warning time duration, ransom amount, payment mode and also allow decrypting the files on the victim system after payment received. The addition features added to Prison Locker: The malware is able to detect Virtual Machine, Sandbox mode, and debugging environments. It will also disable Windows key & Escape key to prevent unwanted user actions. Also can kill taskmgr.exe, regedit.exe, cmd.exe, explorer.exe, and msconfig.exe processes to prevent unwanted user actions. Malw arecan startup in both regular boot mode and safe boot under HKCU. A Malware Research Group is following the development of this new Malware threat and has published his investigation report on his blog i.e. MalwareMustDie. He has investigated the identity of the Ransomware developers at his own level, could be a free tip for Law Enforcement agencies too.

 Information obtained from screenshots provided by MalwareMustDie blog post: 
ICQ: 668841378 
Jabber ID: gyx@jodo.im, wenhsl@exploit.im
 Personal Blog: http://wenhsl.blogspot.in 
Gmail: wenhsl12@gmail.com 
TorChat: yratfipjnd5bcxai 
Twitter: @wenhsl



Interestingly, His Twitter Bio is, 'Security enthusiast. Novice infosec/malware researcher and cybercrime analyst. C/C++ and currently polishing up my MASM' and Country mentioned as U.S.  He has also mentioned in an advertising post, that tool-kit will be available soon for the sale on various hacking forums and markets at just $100. If you don’t take proper precautions, you may lose the information stored on your computer. The people who are calling themselves Cyber Security Researchers whose work is to protect others from such threats are now self participating in the Cyber Crimes just for the monetary purpose. As mentioned earlier that NSA is spying over Non-American people i.e. Foreigners. But now it’s the high time to think that what about the cyber criminals who are operating from the USA, could be the mastermind behind major Bitcoins thefts, banking Trojans, exploit kits, Cryptolocker .. Serious threats?