Home Malware Programs Ransomware Trident File Locker

Trident File Locker

Posted: March 23, 2017

Threat Metric

Threat Level: 8/10
Infected PCs: 73
First Seen: March 27, 2017
Last Seen: August 5, 2022
OS(es) Affected: Windows

The Trident File Locker is a file-encrypting Trojan that can block your files and modify their names or extensions. Most con artists use threats of this category for delivering ransom demands for payment before they'll help decode your data, although such solutions are a high-risk inherently. Proven, mainstream defenses include backing up your hard drive regularly and letting anti-malware products analyze all infection vectors and remove the Trident File Locker before any attacks.

The Newest Weapon in Any Lawbreaker's Arsenal

A threat actor calling himself 'madD3SIR3' has created a new builder for a prospective family of file-encoding threats. For the time being, malware analysts are referring to the Trojan 'output' of this application as the Trident File Locker. Although the configurable features are limited, the Trident File Locker includes both encryption and extortionist note-dropping services. Con artists can use these attacks to lock various types of data on an infected PC and, then, extract payments for the decryptor.

The author madD3SIR3 is using GitHub hosting for his project, which may be rented out to third-party people or even given away for free. The means of proliferation is left up to the third-party, with examples of typical installation techniques including spam e-mails, brute-force RDP attacks, and EKs like the RIG Exploit Kit abusing Web-browsing vulnerabilities. The Trident File Locker's post-installation payload includes a feature for encrypting local files with a cipher that malware experts still are identifying. This attack can block the user from opening documents, pictures, and other content. Other functions in its latest samples include:

  • The Trident File Locker can encrypt an indeterminate number of extensions that are fully configurable by the threat actor operating its builder software. For example, one campaign could target only TXT or DOC files, while another could target hundred of other formats. In a meaningful contrast from most, similar threats that malware experts examine, it gives no options for filtering out files in particular locations such as the often-excluded Windows directory.
  • The Trident File Locker also creates a text file of a name chosen by the author (it provides 'Read_this_Allahuakbar' as a default), with its contents inputted into a small window in the builder. Most threat actors use these features for delivering ransoming messages to sell their decryption solutions, including either the actual decryptor or merely the code to use it.
  • Finally, the Trident File Locker also lets the threat actor determine its decryption password, which doesn't appear to have any variables generated dynamically. However, different releases of the Trident File Locker may use different passwords.

Dulling the Tips of a Weapon Aimed at Your Files

Since its installation methods are left up to the arbitrary individuals deploying it entirely, malware researchers can't confirm any, specific infection vector. However, they have yet to see any current attacks using this threat, whose development may be incomplete. Future attacks may use disguises such as targeted e-mail messages or fake extensions and icons that mislead you about a file's format. A threat actor also could install the Trident File Locker automatically, after gaining access to your PC via brute-forcing a weak login combination or visiting a compromised website that's hosting drive-by-download scripts.

Possessing a backup besides the standard SVC data stored in Windows (which file-encoding Trojans often delete) is a habit malware experts encourage for restricting how much harm that encryption can do to your computer especially. Since its attacks show little to no discrimination regarding of what locations they damage, the Trident File Locker's relative simplicity and sparsity of building options may make it even more threatening than sophisticated Trojans like the Crysis Ransomware.

Always update your anti-malware products to heighten their chances of deleting the Trident File Locker and other, new threats that may be avoiding old threat definitions. Although the Trident File Locker is a family of Trojans with very recent dating, diligent security standards can help cut off its branches before they can become headlines about undeserved profit margins.

Loading...