The SLocker family is one of the oldest android lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to persuade victims to pay their ransom.
SLocker ransomware was first detected in 2015, it is the first ransomware to encrypt Android files. It pretends itself as game guides, video players, and so on in order to attract victims into installing it. When installed for the first time, its icon seems like a normal game guide or cheating tool. Once the ransomware runs, the application will change the icon and name, along with the wallpaper of the infected device.
According to TrendMicro:
“When the ransomware is installed, it will check whether it has been run before. If it is not, it will generate a random number and store it in SharedPreferences, which is where persistent application data is saved. Then it will locate the device’s external storage directory and start a new thread.”“We see that the ransomware avoids encrypting system files, focuses on downloaded files and pictures, and will only encrypt files that have suffixes (text files, pictures, videos). When a file that meets all the requirements is found, the thread will use ExecutorService (a way for Java to run asynchronous tasks) to run a new task.”
The ransomware source code has been leaked on GitHub by an unknown user called “fs0c1ety”. The hacker is asking everyone to contribute to the source code and submit bug reports.