An infringement incident presumed to be Coinlocker ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

Coinlocker ransomware

The ransomware in question is called Coinlocker and appears to be changing all files with the file name and extension .exe.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It was created with C# .NET, and when ransomware runs as a chaos-type ransomware, it moves to AppDataRoaming and re-executes. Apply startup program link creation and [Delete shadow copies / Disable Windows error notification / Disable Windows recovery / Delete backup catalog], etc. The extension of the attacked file is changed to exe (executable file), but it contains an encryption value that is not executed when checking the HEX value.

  
  [Figure 3 Links registered in the ransomware and startup program folders moved to the Roaming folder]

  
  [Static code of instructions declared inside Figure 4]

  
  [Figure 5 HEX value change before/after encryption]

  
  [Figure 6 Attack target location and static code]

  
  [Figure 7 Attack target is extension content static code]

Infection results

The guidance file is <bitdecrypter.txt> in each path, and when encryption is performed, <file name.extension. Change the files with exe> and change the desktop when complete.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

Watch Coinlocker blocking video