Back to overview

Threat intelligence

WormLocker Ransomware Resurfaces: Infection Cycle, Encryption Tactics, and Prevention

by Security News

WormLocker was first spotted in late 2020. Since its discovery, it has been observed spreading through phishing emails and exploiting vulnerabilities. The SonicWall Capture Labs threat research team has received what appears to be a more recent sample of this ransomware. Given the dynamic nature of ransomware threats, this might signify its potential resurgence.

Infection Cycle

This ransomware arrives as a .NET executable file. Upon execution, it takes ownership of the system directory, grants permissions to its user and successively disables the Task Manager.

Fig_1._takeownership.png
Figure 1: Using cmd.exe to take ownership of the system directory

It then proceeds to disable the Windows Recovery Environment and delete all shadow copies.

Fig_2._delshadowcopy.png
Figure 2: Using cmd.exe to disable Windows Recovery and delete all shadow copies

It creates the following additional components in the system:

  • LogonUIinf.exe
  • Ransom_voice.vbs
  • WormLocker2.0.exe

Fig_3.extract_files.png
Figure 3: Function showing malware creating additional component files

It then executes WormLocker2.0.exe, which begins encrypting all executable files in the %userprofile% directories.

It appends ".encrypted" to all encrypted files.

Fig_4._encryptedfiles.png
Figure 4: Example of encrypted files with the ".encrypted" suffix

After successfully encrypting all target files, a message appears with instructions on how to pay to decrypt the files.

Fig_5._wormlocker_msg_new.png
Figure 5: Wormlocker ransom message

This version of Wormlocker has a timestamp of 2025 on the ransom image, compared to the older version seen in 2020.

Fig_6._WormLocker_OLD.png
Figure 6: Old Wormlocker ransom message from 2020

Simultaneously, the ransom_voice.vbs file executes, playing a voice memo with the same message.

Fig_7._playmsg.png
Figure 7: Code contents of ransom_voice.vbs

If the user attempts to restart the system, LogonUIinf.exe displays the following ransom note upon reboot.

Fig_8._Logonui.png
Figure 8: LogonUIinf.exe with another ransom note

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV Wormlocker.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and the Capture Client endpoint solutions.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Related Articles

  • Microsoft Security Bulletin Coverage for March 2025
    Read More
  • Critical Mautic Vulnerability (CVE-2024-47051) Enables Arbitrary File Uploads
    Read More