Traditionally, ransomware extorts money from its victims by encrypting their files. Without access to the decryption key used to unlock the files, they are unreadable. As a result, the user is forced to pay the ransom, restore from backups, or write off the lost data.
Locker ransomware or ‘lockers’ are a type of ransomware that doesn’t use encryption. Instead, it prevents the user from using their device. The ransomware will then display a message to the user that extorts a fee to restore access to their device.
Lockers use common malware infection methods to gain access to a user’s device. For example, they might be distributed via malicious advertising or as a trojan horse, tricking their way onto a user’s device.
Once on a device, the locker will lock down the computer, preventing the user from using the device.
This can be accomplished in a few different ways, including:
Typically, ransomware operators are transparent about the fact that they are cybercriminals demanding a ransom for their attacks. Lockers, on the other hand, may pretend to be law enforcement demanding a legitimate fine for illegal activity such as viewing prohibited content.
Locker ransomware’s primary purpose is to lock a user’s computer and solicit a ransom. The malware’s core capabilities are geared toward this purpose.
However, some locker ransomware may have additional capabilities designed to help sell the con to the victim. As mentioned above, some lockers will claim that users have viewed illegal content and that the ransom payment is a fine for that activity. In these scenarios, the malware might include the ability to capture screenshots via the infected computer’s webcam, which can be used to “prove” that the malware observed the user performing the illegal action.
Locker ransomware is less common than crypto-ransomware, which encrypts files and demands a ransom payment for the associated decryption key. However, several locker ransomware variants exist, including WinLock, Reveton, and LockerPin.
Different locker ransomware variants use different techniques and target various devices. For example, some use the full-browser window approach to pretend to lock a device, while others are malicious mobile apps that change a user’s PIN. Additionally, locker ransomware may incorporate other functionality, such as taking users’ pictures to make their pretext more believable.
Locker ransomware differs from other ransomware in that it doesn’t try to encrypt the user’s folders. This requires a different approach than for preventing other types of ransomware attacks.
Some best practices for managing the threat of lockers include:
Ransomware has emerged as one of the most significant threats to corporate cybersecurity and data security. These attacks come in various forms, including data encryption, data theft, device locking, and more. Locker ransomware has the potential to be one of the less dangerous ransomware variants — if it uses full-screen browser windows to “lock” devices — or it has the potential to cause complete data loss for its victims. To learn more about protecting against lockers and other forms of ransomware, check out the CISO’s Guide to Ransomware Prevention.
In addition to ransomware, companies face a range of other endpoint security risks. Check Point’s 2023 Cyber Security Report explores the main cybersecurity threats that companies face today.
Check Point’s Harmony Endpoint offers protection against all types of ransomware and other endpoint security threats. To learn more about the benefits that Harmony Endpoint can provide to your organization and its ransomware defense strategy, reach out and schedule a free demo today.