fileslocker

[Content by Gemini 2.5]

FilesLocker Ransomware – Community Defense Guide

File-extension hall-mark: .locked (variant A) and .[[email]].fileslocker (variant B)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension: .locked (first wave, Aug-2018) or .[[attacker_email]].fileslocker (second wave, Oct-2018 →)
  • Renaming convention:
    original_name.docxoriginal_name.docx.locked
    OR
    Budget.xlsBudget.xls.[[email protected]].fileslocker
    The address inside the bracket is usually a ProtonMail / Cock.li / Tutanota mailbox used for victim communication.

2. Detection & Outbreak Timeline

  • First public submissions: 12-Aug-2018 (MalwareHub, ID-Ransomware)
  • Major spreading spike: September 2018 (China & U.S. simultaneous campaigns)
  • Active through: Q4-2018 / Q1-2019; copy-cat spin-offs seen in 2020 but original C2s sink-holed.

3. Primary Attack Vectors

  • Phishing with .jar, .js or .exe inside double-extension “PDF invoice” attachments
    (e.g., “Invoice_2308.pdf.js”)
  • RDP brute-forcing – scans TCP/3389, keeps a small Chinese-language credential list (root:admin, admin:123456, …)
  • EternalBlue (MS17-010) – worm module used in Oct-2018 wave for LAN propagation only (not Internet-facing).
  • Exploitation of un-patched WebLogic, Drupal & Tongda OA flaws in China-centric intranets.
  • No software supply-chain compromise observed; strictly opportunistic.

Remediation & Recovery Strategies

1. Prevention

✅ Disable RDP or move to RDP-gateway + 2FA; restrict TCP/3389 at perimeter.
✅ Patch: MS17-010, Oracle WebLogic CVE-2017-10271, CVE-2018-2628, Drupalgeddon2.
✅ Remove Office-macro & script (js, vbs, wsf) execution via GPO.
✅ Use application whitelisting (Windows Defender Application Control / AppLocker).
✅ Segment LAN; block SMBv1 across VLANs (FilesLocker uses NetBIOS enumeration).
✅ Backup 3-2-1 rule: three copies, two media, one offline (FilesLocker deletes Volume Shadow Copies).
✅ Mail-filtering rules: quarantine double-extension attachments and JAR inside ZIP.

2. Removal (clean-up sequence)

  1. Physically isolate the box (unplug Ethernet / Wi-Fi).
  2. Collect a memory image for forensics if needed (FilesLocker keeps an AES-256 key in heap until reboot).
  3. Boot into Safe Mode with Networking or mount the disk on a clean Win-PE/Ubuntu USB.
  4. Remove persistence:
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\“FileLocker”
  • Scheduled task: “FileLocker AutoRun” referencing %AppData%\Roaming\FileLocker.exe
  1. Delete dropped binaries:
    %AppData%\Roaming\FileLocker.exe
    %ProgramData%\dllhost.exe
  2. Remove the self-delete batch usually sitting in %TEMP%\delme.bat.
  3. Update & run a reputable AV (Windows Defender, Kaspersky, ESET, Bitdefender) – all have static signatures (Ransom:Win32/FilesLocker.A!bit).
  4. Reboot normally → confirm no new .locked files appear when you create a test file.

3. File Decryption & Recovery

  • FilesLocker’s encryption:
    – AES-256-CBC per file (random IV, key encrypts with 2048-bit attacker RSA public key).
    – Private RSA key never left the C2; NO free universal decryptor exists.
  • Possibilities to get data back:
    1) Paying the threat actor (not recommended, supports crime).
    2) Victims who grabbed RAM before reboot occasionally found the AES key with FilesLockerDump (custom Volatility plugin from 360-CERT). Works only:
    – Same Windows session (no reboot)
    – Free memory still intact
    – Virus process not self-killed
    3) Check id-ransomware.malwarehunterteam.com; paste ransom note (# FILES LOCKER #.txt). If you see “FilesLocker v2.0 – decryptable”, someone leaked that campaign’s RSA private key and the site will give you a link to a decryptor.
    4) Restore from offline backup – the only reliable path for the majority.

Essential tools / patches

  • Microsoft update catalog KB4457144 (EternalBlue)
  • 360-CERT FilesLockerDump.py (Volatility)
  • ShadowCopyView (recover shadow copies if the attacker’s vssadmin delete shadows failed)
  • Emisoft & Kaspersky have generic decryptors that cover some leaked RSA keys; test a sample file.

4. Other Critical Information

Unique characteristics:

  • Multi-language ransom notes: EN, CN, DE, RU dropped in same folder; chooses system language for desktop wallpaper.
  • Also targets non-Windows systems: a *.sh variant that encrypts Samba-shared folders from Linux servers (uses OpenSSL AES).
  • Hard-coded Chinese language resource strings indicate the developer’s origin; primarily marketed on Chinese underground “Dark-Gate” forum, but ransom messages demanding $300–$600 payable in BTC are English.
  • Telegram notification channel: victims are instructed to join a t.me/fileslocker “support” bot; channel ID embedded in the malware → helps tracking campaigns.

Broader Impact

  • ≈ 4 000 reported submissions to ID-Ransomware within four months; biggest hit municipalities in Guangdong and educational networks in California.
  • Demonstrated that low-skill actors can purchase kit (less than $100) and weaponise it with EternalBlue in under 24 h – accelerated shift to “Ransomware-as-a-Cheap-Service”.

Share this sheet, keep patches current, and test those offline backups – FilesLocker is old but still recycled in copy-cat attacks. Stay safe!