The Maktub Locker infection comes in the usual way: A spam mail from some company with an executable file (.exe) disguised as a text/pdf document. This file will open an “Updating our privacy policies and terms of service” text file that we will read because everyone reads them all the time, don’t we? But while we are doing that, the original file will start encrypting our files just as the other cryptolockers do. Suddenly, this appears on our screen:
All our files have been encrypted with the extension “.rdbmh” and the files are also “smaller” (probably compressed).
So, we will visit their web to check how this works. After entering our public key at the website, we will see a really well-made web regarding payments that looks like this:
These guys might be bad ones but they are very caring! If you have any doubt about how the payment system works, they explain it all to you on their cool website (even with some links about where to buy bitcoins). These five pages show you the following things:
- What happened with your files
- They let you unencrypt two of your files for free
- It shows the prices, but what is interesting is that the price increases as days go by. For the first three days, the ransom from Maktub will be 1.4 BTC but it increases to 3.9 BTC in two weeks. This means that the actual market price of the ransom balloons from 515 up to 1,450 euros.
- It shows how the entire process is automated and that your files will be automatically unencrypted after payment has been made to the given address.
- They also will help you find places where you can purchase Bitcoins.
Looks like they are really polite and want to make things easier for you. But, what they really want is that you pay. Increasing the amount of money you would have to pay over time — called time-based dynamic pricing in the business world — is just a way to pressure you to send them the money, and do it fast. But as we always say, don’t pay the ransom. It will encourage them to continue making money from people this way. Just be careful and do not open any suspicious file attached to an email.
Avira is already detecting this malware as “TR/FileCoder”.