Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove GNL Locker Ransomware and Restore .locked AES-512 Files

ransom-note-gnl-locker-sensorstechforumRansomware, called GNL Locker(German-Netherlands Locker) which uses the never seen before AES-512 encryption algorithm has been spotted out in the wild. The dangerous malware encrypts the user files adding a .locked file extension to them. After this, it has been reported to drop several files which are its ransom note, demanding around 200 euros in them. Since the GNL Locker ransomware may spread via a Trojan.Downloader, experts advise users to be extremely careful what they download on their hard drives and what malicious URLs they are clicking on. In case you have been affected by this ransomware, it is strongly recommended to take immediate actions into removing it and restoring your files using alternative methods such as the ones posted after this article.

Threat Summary

Name GNL Locker
Type Ransomware
Short Description The ransomware encrypts files and may use the AES-512 cipher. Asks a ransom money of around 200 euros(0.6 BTC) for decryption.
Symptoms Files are encrypted with .locked file extension and become forbidden for access. The ransomware drops a “UNLOCK_FILES_INSTRUCTIONS” ransom note.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by GNL Locker

Download

Malware Removal Tool

User Experience Join our forum to Discuss GNL Locker Ransomware.

GNL Locker – How Did I Get Infected

To infect user systems, this ransomware is reported by affected users to use a malicious .exe file which is reportedly a Trojan.Downloader types of malware. This threat then downloads a malicious .bat file from one of the C&C (Command and Control) servers of the cyber-criminals. However, so far there is no information on the methods of distribution of the malware and whether it uses attachments or malicious URLs and how is the spam sent out to infect users with GNL Locker.

However, researchers believe that the malicious .exe may pose as an installer of a program posted on suspicious websites. Not only this but it may be featured as an attachment on spammed e-mails that may resemble different legitimate services, for example:

  • FedEx.
  • eBay.
  • PayPal.
  • Government branches.
  • Banking executives.
  • Amazon.
  • Services or sites, the user, has registration in.

Users who have not yet been infected should avoid spam messages of the following character or use e-mailing software that has spam blocking features in it and e-mail provider with anti-malware checks.

GNL Locker In Detail

Once GNL Locker has been downloaded onto the computer of the user, the ransomware (also known as crypto-malware) begins to set up for file encryption. For starters, it may drop malicious modules in the following file folders, and those executables, temporary files or DLL’s may have random names, for example:

commonly used file names and folders

After it does that, similar to TeslaCrypt ransomware, GNL Locker may modify the registry entries of the infected computer so that it is automatically started when you turn on the infected system and boot Windows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

GNL Locker – The AES Encryption

After doing so, this ransomware may initiate the file encryption procedure. It may either be done via using a combination of AES and RSA encryption ciphers or as the ransomware writers claim in the ransom message, GNL may use the immensely strong AES-512 encoding cipher. Until recently, experts have considered AES-512 to be an algorithm that is simply too big and too long and in many cases obsolete since the size of the key was 512 bit. They have found that AES-256 and 192 keys were sufficient. However, with the recent developments in cryptography the AES-512 has become an even more discussed subject in the cryptography field. As the researcher Adam Caudill believes, the older algorithms may be rendered obsolete soon if a method for their decryption has been discovering (if it already hasn’t been).

So the bottom line is that GNL Locker, in fact, may for the first time use the immensely strong AES-512 key which is quite interesting. But there is also the other version – it may just claim to use it to scare off users into paying the ransom. In fact, user who has paid the actual ransom have stated that they have gotten their files back which is quite suspicious because developing ransomware that uses AES-512 and returning the files 100% healthy may be a bit tricky. For it to work successfully, one must use officially proposed encryption process designs whose code and functionality were tested.

GNL Locker – The Final Stage of Infecting Your PC

Once it has successfully infected your computer, GNL Locker Ransomware changes the name of your encrypted files with the .locked file extension, just like Locky ransomware and it renames the files with random names, just like CryptoWall 4.0 Ransomware, for example:

→ 1298d12g!!.txt.locked

In addition to that GNL drops the ransom note. It consists of two files:

  • UNLOCK_FILES_INSTRUCTIONS.html
  • UNLOCK_FILES_INSTRUCTIONS.txt

The .txt file aims to notify the user into opening the HTML ransom document, for example:

→ Open UNLOCK_FILES_INSTRUCTIONS.html with your internet browser to see the instructions.

The HTML document itself has the ransom note that demands money to unlock the files:

→ “Your files are locked / encrypted
You can unlock your files by paying requested amount{amount usually around 200 Euros}
All your important files are encrypted using an unique 32 characters AES-512 ({for some variants 256}) password. (it will take a computer over a billion years to crack this password.
Lucky for you it is possible to get all your files back!
In order to unlock your files you will have to purchase the private password for this computer For more information navigate to your personal unlocking page below.
Warning! You must pay the specified amount before {Deadline date} or the amount you have to pay will TRIPLE!
Important information
Your UID: {unique identification number}
Use one of the links below to pay and receive instructions for unlocking your files.
{three tor web links}
If none of the above websites work follow the steps below.
1.Download the Tor Browser Bundle
2.Start the Tor Browser Bundle
3.Enter {tor web link} in the website address bar of the Tor Browser Bundle.”

Not only this but the malware is different to track, because it usually may use different encryption strengths, like AES-256 for some computers and 512 for others, as infected users on BleepingComputer forums have reported.

DNL Locker – Conclusion, Removal, and File Restoration Alternatives

The bottom line is that this is what appears to be a sophisticated ransomware, and it is most likely a part of a RaaS(“ransomware as a service” scheme), because different variants of it exist, demanding different payments and claiming to use different ciphers. This points out that GNL Ransomware may have been sold on deep web black markets.

The best way to get rid of this ransomware is to isolate it in safe mode. This is why we have provided instructions below which you can feel free to follow and hopefully they may help you to get permanently rid of this threat.

If you want to decrypt your files however, we have to note that currently direct decryptor has not been released. This is due to the uniqueness of the keys being used. The only realistic options to get all your files back are to (i)wait for researchers to discover a flaw in the code of the virus itself (we will post an update here) or (ii) try the alternative methods for file restoration (“Restore files encrypted by GNL Locker” below)that may restore even a small portion of your files. They include using Shadow Copies in case you have a backup set up on your Windows device, using File restoration software and the technical option of sniffing out information about the encryption.

Manually delete GNL Locker from your computer

Note! Substantial notification about the GNL Locker threat: Manual removal of GNL Locker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove GNL Locker files and objects
2.Find malicious files created by GNL Locker on your PC
3.Fix registry entries created by GNL Locker on your PC

Automatically remove GNL Locker by downloading an advanced anti-malware program

1. Remove GNL Locker with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by GNL Locker in the future
3. Restore files encrypted by GNL Locker
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.