Simplocker: First-Ever Data-Encrypting Ransomware For Android

ESET has discovered the first Android ransomware that doesnt just lock screens, but encrypts files.

While all earlier ransomware for Android devices had worked by locking a devices screen, this weekend researchers at ESET
spotted Simplocker
, a new piece of Android malware that holds individual files for ransom by encrypting them. The researchers believe that the version theyve seen is just a work in progress, because, although some of the attack techniques are rather sophisticated, the encryption itself is not.
Its quite contradictory, says Robert Lipovsky, security intelligence team lead at ESET.
Simplocker scans the devices SD card for a wide variety of documents (including images, photos, PDFs, and Word docs). It encrypts those files and then issues this ransom note (translated from Russian):
WARNING your phone is locked!
The device is locked for viewing and distribution child pornography , zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1. Locate the nearest payment kiosk.
2. Select MoneXy.
3. Enter
[REDACTED]
.
4. Make deposit of 260 Hryvnia, and then press pay.
Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours.
In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!
On one hand, explains Lipovsky, Simplocker uses basic AES encryption, which is not very impressive alongside the double-encryption used by CryptoLocker. On the other hand, it uses a variety of techniques to protect the attackers identity that Lipovsky says are relatively uncommon.
For example, the attack demands that payment be made via MoneXy, which is not as traceable as credit card activity.
Further, the command-and-control server is hosted on a TOR onion domain.
Simplocker also sends identifiable information about the device (model, operating system, manufacturer) back to the C&C server, but Lipovsky says that he has seen no evidence that would indicate the malware would export personally identifiable information about the user.
Being that the message is written in Russian and demands payment in Ukrainian currency, it is safe to assume that Simplocker is aimed at that region. Although recent research elsewhere has found that
malware activity in this region spiked
at the height of the geopolitical conflict between Russia and Ukraine, Lipovsky will not speculate upon whether or not Simplocker is at all politically motivated.
Although the ransom note states that the device has been locked because it was used to view or distribute child pornography, zoophilia, and other perversions, Lipovsky would not categorize Simplocker as police ransomware, exactly. The ransom does not actually claim to come from law enforcement or include any police force logos.
The ransom requested, 260 UAH, equals roughly US$21. Lipovsky does not have an estimate of how many people have paid the ransom thus far, but since the malware is quite fresh, it is probably quite a small number.
Ransomware has been a hot topic lately. Two weeks ago, more than
90 people were arrested
for their connection to the Blackshades remote access toolkit, which contains ransomware. Monday, the US Department of Justice announced a major international effort to
disrupt the Gameover Zeus botnet
, which is often used in tandem with the CryptoLocker ransomware. CryptoLocker is well known partly for its association with Gameover Zeus and partly because it encrypts files twice with two different encryption algorithms.
CryptoLocker is quite sophisticated, says Lipovsky, but it is still a bit overhyped.
Lipovsky says that ransomware wouldnt be as big a deal if people just kept better backups.
For more information about ransomware, listen to yesterdays
episode of Dark Reading Radio
, Pay Up Or Never See Your Data Again: Ransomware Raises The Stakes, with DarkReadings executive editor Kelly Jackson-Higgins and Lance James, head of cyber intelligence at Deloitte & Touche.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Simplocker: First-Ever Data-Encrypting Ransomware For Android