StalinLocker Ransomware Deletes Files if Correct Code Is Not Entered

By Ava McKinneyOnline Safety

StalinLocker Ransomware Threatens Users’ Files Without Correct Code

Security experts from MalwareHunterTeam and Bleeping Computer have issued a warning about a new type of locker and wiper malware called StalinLocker. This malware displays a portrait of Joseph Stalin and plays the Soviet Union’s national anthem when it infects a computer.

How StalinLocker Works

According to researchers, StalinLocker gives users only 10 minutes to enter a specific code. If the correct code is not entered within this time frame, the malware begins erasing the contents of all drives it finds on the system.

While the exact method of distribution is unknown, once StalinLocker infects a machine, it copies itself to %UserProfile%\AppData\Local\stalin.exe and adds itself to the system’s startup as “Stalin.” The malware then locks the screen and deletes all logs from the infected computer.

Additionally, StalinLocker creates a file at %UserProfile%\AppData\Local\fl.dat, which records the current number of seconds remaining, divided by three. This means that each time the user launches the program, the timer decreases significantly.

The malware also attempts to terminate all processes except Skype and Discord, shuts down Explorer.exe and taskmgr.exe, and tries to create a scheduled task called “Driver Update” to launch Stalin.exe. However, researchers note that this feature is still buggy.

Unlock Code and File Deletion

StalinLocker gives victims 10 minutes to enter the correct code. According to MalwareHunterTeam, the code is the difference between the current date and December 30, 1922 (likely referencing the date the USSR was established). If the correct code is entered, the locker removes itself from startup and terminates.

If the code is not entered and the countdown reaches zero, StalinLocker attempts to delete all files on the victim’s system, going through drive letters from A to Z.

Current Status and Threat Level

Experts note that StalinLocker is still under development and not yet fully finished. Unfortunately, the malware is already functional enough to pose a real threat to users.

Leave a Reply