LOCKER Malware: Locker mainly spreads by drive-by downloads from compromised websites, disguised itself as MP3 files and use system software vulnerabilities to infect the end user.
Once it has infected a system, malware first checks the infected machine has an internet connection or not. Then it deletes any original files from the victim’s computer after using AES-CTR for encrypting the files on infected devices and add “. perfect” extension to them.
Locker’s encryption is based on an open source tool called ‘TurboPower LockBox’ library. After encrypting all files, the malware place a “CONTACT.TXT” file in each directory, which provides contact details of the author to buy the decryption key and once the ransom is paid, each victim gets a key to unscramble files.