RANSOMWARE: StalinLocker deletes data if you don't enter the right code in time

StalinLocker  Ransomware gives you ten minutes to comply. 

Ransomware is under development that gives victims 10 minutes to enter a code and will delete the contents of a hard drive in the event of failure.

StalinLocker deletes data if you don't enter the right code in time.
Ransomware is under development that gives victims 10 minutes to enter a code and will delete the contents of a hard drive in the event of failure.

When the malware is run, it plays the Soviet national anthem, which is copied to the %UserProfile%\AppData\Local
As an mp3 file.

The malware will also copy itself to the same folder as stalin.exe. It then creates an autorun file called Stalin which, when run, locks the screen and starts off the wiping process.

Also created is %UserProfile%\AppData\Local\fl.dat. This decreases the time left to enter a code each time the computer is restarted.

It also attempts to taskmgr.exe and explorer.exe but leaves Skype or Discord alone. Also created is a scheduled task called "Driver Update" that launches Stalin.exe.

When infected the malware shows a lock screen and a 10-minute timer. Victims are expected to enter a code, which is calculated by subtracting the date 30/12/1922 from the current date. If the correct code is entered, StalinLocker exits and deletes the autorun.

Should a victim fail to enter the code by the time the countdown reaches zero, the malware deletes all files on each drive attached to the computer.

The malware came with “no money demand, no contact, nothing”. They added that the malware is “not a variant of anything known” and was first seen some days ago.
They said that if a user gets infected, “best thing he can do is shutdown PC and contact someone who can clean”.


“For the average end user they will neither have the time or the inclination to find and enter the correct code, so the file wipe will almost certainly be a done deal. Their only protection is going to be good multi-layered internet security software that will detect and delete the offending malware,” he said.

These kinds of attacks aren't necessarily for profit, the impact is no less. Therefore, enterprises should take all these threats just as serious and invest in security controls that can detect such attacks, so that the appropriate measures can be taken.


CONTACT: paul@securenetconsulting.co.uk




Credit: MalwareHunterTeam, SCmedia