Security researchers have uncovered a unique screenlocker and wiper called "StalinLocker" or "StalinScreamer" that gives victims just 10 minutes to enter a specific code or their hard drive files will be deleted. Discovered by the MalwareHunterTeam, the malware displays a lock screen that features a picture of Stalin and a 10-minute timer while running. It also plays the national anthem of the USSR which is copied as an mp3 to the %UserProfile%\AppData\Local folder.
Meanwhile, the ransomware copies itself to the same folder as "stalin.exe" and creates an autorun named "Stalin" to automatically start the screenlocking and wiping process once the user logs into the computer. The malicious code also attempts to terminate Explorer.exe, taskmgr.exe and other processes except for Skype and Discord. A scheduled task called "Driver Update" that launches Stalin.exe is also created.
The Stalin-themed lockscreen includes a 10-minute countdown that significantly decreases every time the victim starts the program.
Photo credit: MalwareHunterTeam/Twitter
MalwareHunterTeam tweeted that the code is derived by subtracting the current date of when the program was executed from the date 1922.12.30 - the date the USSR was established.
If the user does not enter the a code by the end of the countdown, StalinLocker will go through all accessible drive letters and try to delete every file on the infected computer. However, if the victim does enter the correct code, the wiper exits and the autorun is deleted.
Researchers note that although the wiper is still currently in development, it could make its way out into the wild. So far, most anti-virus programs are able to detect the threat through definitions or heuristics.
“For the average end user they will neither have the time or the inclination to find and enter the correct code, so the file wipe will almost certainly be a done deal," Mark James, security specialist at ESET, told SC Media UK. Their only protection is going to be good multi-layered internet security software that will detect and delete the offending malware,” he said.
“Having said that, this malware also seves to spread more than the wantonness of deleting your personal files- its use of content could be seen to point blame or attribution to another well-known country."