Earlier this week, Webroot researchers reported coming across an ad for a ransomware that locked computers and instructed victims to complete surveys in order to unlock the device. Symantec has spotted such a piece of ransomware in action.
It’s uncertain if the malware identified by Symantec, Trojan.Shadowlock, is the one advertised on underground forums, but the technical details provided by the security firm match the ones from the hacker site ad.
When it infects a device, Shadowlock displays a popup box in which victims have to enter an unlock code. The unlock code can be obtained after a “quick offer” is completed.
The popup window cannot be closed and, while it’s running, users can’t launch the task manager, command prompt, the registry editor or other applications. The threat remains active even if the user restores the operating system to a previous restore point.
If the wrong unlock code is entered three times, the computer is restarted. 20 seconds after the restart, the popup box appears again. During the 20-second timeframe, users can execute any applications to try and neutralize the Trojan.
It’s worth noting that Shadowlock has several functions that aren’t utilized, such as BotKill() and EraseStartup(). It’s also capable of killing popular web browsers, disabling the Windows firewall, eject the CD tray, swap mouse buttons, and open Windows applications.
“Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak,” Symantec researchers noted.
“These functions (as well as others) may find themselves being used in a future variant,” they added.