New WhiteLock ransomware kills remote tools to block recovery

Analysts at AhnLab's ASEC have detailed WhiteLock, a newly identified Windows ransomware that encrypts a victim's files and then shuts down the very remote-access tools defenders would use to fight back.

Once running, WhiteLock hunts for and terminates the Windows services behind AnyDesk and TeamViewer. AhnLab assesses this is meant to stop administrators or responders from logging in to an infected machine to isolate it or pull it off the network, buying the attackers time to finish encrypting.

How it works

On launch, WhiteLock reads the machine's network (MAC) address and turns it into a SHA-256 hash that serves as a unique ID when it phones home to an external server. It generates a random AES key and initialization vector to encrypt files, then requests an RSA-2048 public key from the server and uses it to wrap the AES key. Because only the attackers hold the matching RSA private key, victims cannot recover the AES key, and therefore their files, without negotiating. If the machine cannot reach the server, WhiteLock keeps retrying, so some steps may stall in tightly firewalled networks.

Encrypted files are given a .Fbin extension, and a ransom note named c0ntact.Txt is dropped at the root of each drive. WhiteLock skips folders and files needed to keep Windows running and avoids anything tied to major antivirus products. When encryption finishes it swaps the desktop wallpaper for a message telling the victim their data is locked and pointing them to the note.

Double extortion

The note claims the attackers have also stolen data, and threatens to notify the victim's contacts, sell the information and publish it on the dark web if the ransom is not paid by a deadline. Victims are directed to a Tor-based negotiation page where they enter an identifier so the crew can track each case.

Importantly, AhnLab warns WhiteLock should not be treated as a lone executable. Some cases tie it to a fuller intrusion chain in which information-stealing malware provides the initial breach before the ransomware is deployed and spread internally, a pattern familiar from other crews such as the Gentlemen ransomware gang.

What you should do

Because files cannot be decrypted once WhiteLock runs, AhnLab stresses prevention and early containment: keep offline backups, deploy behavior-based detection that can flag ransomware-like activity, and watch for the precursors, phishing, account compromise, remote-access abuse and unusual outbound traffic, that precede deployment. Alerting on the unexpected termination of AnyDesk or TeamViewer services can also serve as an early warning.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions