FilesLocker, a new ransomware threat has been discovered is currently being offered as ransomware-as-a-service (RaaS) via a TOR malware forum. FilesLocker ransomware is not a extremely sophisticated ransomware variant, but it still poses a major threat.

FilesLocker ransomware is a dual language ransomware variant that shows ransom notes in both Chinese and English. MalwareHunterTeam has found a Chinese forum on TOR where it is being offered to affiliates to distribute for a percentage of the ransom payments.

Unless advertised more widely, the number of affiliates that sign up may be restricted, although it may prove popular. There are a number of features which could see the ransomware variant favored over other RaaS offerings, notably a sliding scale on commissions. The developers are offering a 60% cut of ransoms, which will go up by 75% if sufficiently high numbers of infections can be generated.

While relatively straightforward, FilesLocker ransomware still uses an RSA 2048+AES algorithm to lock files and it erases Windows shadow copies to hamper efforts to recover files without paying the ransom. FilesLocker is also capable of file encryption in a broken network environment.

No server is needed and the ransomware is working on all Windows versions later than XP plus 32-bit and 64-bit Windows Server. Users are also able to easily keep an eye for infections through a tracking feature which displays infections by country.

There is no free decryptor for FilesLocker ransomware in existence. Recovery can only be completed by restoring files from backups.

While news of a new RaaS offering is never welcome, there has at least been some good news on the ransomware front this recently at least for some victims.

GandCrab ransomware is another RaaS offering that has been for sale since January 2018. It has been widely adopted, with many affiliates using it to distribute the ransomware over the past 10 months.

A GandCrab ransomware decryptor was designed by Bitdefender in February that was able to unlock files encrypted by version 1.0 and v1.1 of GandCrab ransomware. The decryptor was developed after private keys were released online. However, it didn’t take long for v2.0 to be released, for which no free decryptor is available. There have been a number of further updates to GandCrab ransomware over the past few months, with v5.0 of the ransomware variant released in late September.

This week, Bitdefender has revealed that after collaboration with the Romanian Police, Europol and other law enforcement bodies, a new decryption tool has been developed that permits GandCrab ransomware victims to decrypt files for free, provided they have been hacked with version 1, 4, or 5 of the ransomware.

The version can be deduced by the extension used on encrypted files. V1=GDCB; v2/3=CRAB; v4=KRAB; and v5 uses a completely random 10-character extension.

The free GandCrab ransomware decryptor has been placed to the NoMoreRansom Project website. Bitdefender is currently attempting to put in plsvr on a free decryptor for v2 and v3 of GandCrab ransomware.