Christmas 2016 has marked the release of a new type of a screenlocker infection that has locked the screens of numerous computers worldwide. The virus aims to deny access to the computer it infects by heavily modifying the Windows Registry. In case you have become a victim of DeriaLock, we advise you to read the following article to become familiar with DeriaLock ransomware and learn how to remove it and gain access to your computer.
|Short Description||DeriaLock aims to lock you out of your files but the virus does not encrypt them.|
|Symptoms||Locked screen, pop-up message displayed when you try to exit it with Alt+F4.|
|Detection Tool|| See If Your System Has Been Affected by DeriaLock |
Malware Removal Tool
|User Experience||Join our forum to Discuss DeriaLock.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does DeriaLock ScreenLocker Infect
At this point the exact method of infection by DeriaLock is not known. However, the ransomware may use a combination of several different tools and tactics to replicate itself onto victims’ hard drives:
- Malware Obfuscators for antivirus and real-time shield evasion.
- Spam bots to spread malicious files on e-mails as well as social media and other websites.
- Exploit kit to connect to the C2 servers of the cyber-crooks and download the payload of DeriaLock ransomware.
- Malicious macros embedded in either Microsoft Office or Adobe documents to cause an infection when “Enable Content” keys have been pressed.
- Trojans or other malware that may download the payload of DeriaLock.
Once the user has opened either a malicious attachment or clicked on a malicious URL, an infection may is caused and the following file has been reported to be dropped on the victim machine:
- SystemLock.exe in the %Startup% folder.
DeriaLock ScreenLocker – Further Analysis
After it has been launched on your computer, the DeriaLock virus will obtain information from the infected computer, such as it’s name and other info. This information allows the malware to generate a custom MD5 hash for unique identification and execution assistance for the screenlocker.
Furthermore, the malware connects to the command and control server (C&C) to download the latest version of itself which is located in the %Startup% directory, as mentioned above.
Once the malicious executable has ran, the DeriaLock threat is programmed to modify the computer so that it locks the user out of his computer, displaying the below shown ransom note:
But the screenlocker is not just an image, instead it is custom software with buttons that convert the ransom note in different languages, like German and Spanish as well.
In addition to all those, DeriaLock has also some defensive features up it’s sleeve. It has been reported by BleepingComputer researchers that this malware shuts down several critical Windows processes to stop you from exiting the lockscreen by entering processes, like Task Manager, Skype, Steam and others. Here are the processes, DeriaLock screenlocker shuts down if it detects them to be opened:
→ taskmgr procexp procexp64 procexp32 skype chrome steam MicrosoftEdge regedit msconfig utilman cmd explorer certmgr control cscript
When the user attempts to either switch tabs, enter task manager or perform any other activities that may exit the lockscreen he receives the following message:
→ “Nice try mate =)
I think that is a bad decision”
Fortunately for Windows XP users and the ones without NET Framework 4.5, this virus requires it to run and will not execute if you have a Windows version earlier than 7.
Remove DeriaLock ScreenLocker and Restore Access to Your PC
In case you have become a victim by this screenlocker type of ransomware, experts advise to remove it immediately and restore access to your files. Since this is malware and it’s safe removal is important, you may want to use an advanced anti-malware for the safe removal after entering Safe Mode on your computer, as described in the instructions below.
After having removed DeriaLock, advices are to immediately perform an online backup and secure your files in multiple methods to protect them from further ransomware infections.