OzozaLocker Ransomware is a malicious data-encrypting virus that infiltrates Windows computers, renames compromised files, and demands a ransom payment to unlock them. Security firm Emsisoft successfully bypassed this malware by discovering a vulnerability in its encryption implementation, leading to the release of a free OzozaLocker decryption tool created by security researcher Fabian Wosar. Key Characteristics of OzozaLocker
File Renaming: The ransomware appends the extension .locked to every file it encrypts (e.g., document.docx becomes document.docx.locked).
Ransom Note: It drops a text file on the victim’s desktop named HOW TO DECRYPT YOU FILES. txt.
The Demand: The attackers demand a payment of 1 Bitcoin (valued at roughly $740 at the time of its initial wave) to restore the files.
Contact Info: Double-clicking any encrypted file opens a pop-up window instructing the victim to contact [email protected]. How the Emsisoft Decrypter Works
The Emsisoft OzozaLocker Decrypter allows victims to fully recover their data for free, completely neutralizing the attackers’ leverage.
The File-Pair Requirement: To reconstruct the correct encryption keys, the tool relies on a cryptographic comparison. You must provide one encrypted file and its original, unencrypted version.
Minimum File Size: The sample file used for the decryption comparison must be at least 510 bytes in size.
Execution: To run the tool, you simply select both the encrypted and unencrypted file versions simultaneously, then drag and drop them onto the decrypter executable file. Important Safety Steps for Victims
If your system has been targeted by this ransomware, follow these remediation procedures before attempting decryption:
Isolate and Clean: Quarantine or completely remove the malware from your system using a reputable antivirus solution like the Emsisoft Emergency Kit to prevent files from being repeatedly re-encrypted.
Secure Remote Access: If the attackers compromised your system via Windows Remote Desktop (RDP), immediately change all user passwords and check for newly created, unauthorized local user accounts.
Preserve Filenames: Do not alter the original filenames of your encrypted files, as the decrypter relies on specific filename structures to properly parse and extract data.
Keep File Backups: By default, the Emsisoft decrypter does not delete the original .locked files after processing, acting as a safeguard in case any file data is corrupted during the recovery process. Keep these backups until you confirm all data is intact. How to use the Emsisoft Decrypter for OzozaLocker
Leave a Reply