ZeuS 2.x comes with Ransomware Feature

The recent popularity of ransomware has resulted in an unexpected malware combination. F-Secure researchers have recently spotted a new Zeus 2.x variant that includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

After disassembling the malware, researcher found that the unlock information is stored to the registry. So it is possible to unlock without paying the ransom.

part of Disassembled code

 Unlocking can be performed quite easily with a registry editor:

1. boot the system in safe mode
2. add a new key named syscheck under HKEY_CURRENT_USER
3. create a new DWORD value under the syscheck key
4. set the name of the new DWORD value to Checked
5. set the data for the Checked value to 1
6. reboot