DAGON LOCKER Ransomware is a Refresh of Mount Locker
There is a new variant of the older Mount Locker ransomware in the wild. The new strain is called DAGON LOCKER.
DAGON LOCKER behaves as you would expect - it will encrypt almost every file on the system it targets. Encrypted files receive the ".dagoned" extension. This process will turn a file named "document.doc" into "document.doc.dagoned".
The DAGON LOCKER ransomware will scramble most file types, including executables, media files, documents, archives and databases. Files required for the normal operation of Windows are left untouched.
The ransom note is contained inside a file named "README_TO_DECRYPT.html", which is displayed in a pop-up window upon successful encryption. The file's contents are as follows:
Pwned
by DAGON LOCKER
What happened?
All your data is encrypted on all IT systems.
Your data including financial, customer, partner contracts and employees has been exfiltrated to our internal servers.
What's next?
You either get in touch with us or get famouse as a company with a large data leak.
How do I recover?
There is no way to decrypt your files manually unless we provide a special decryption tool.
Get your copy of Tor browser and CONTACT US
The final CONTACT US string contains a link to an Onion page ran by the ransomware operators, which victims are expected to use to contact the criminals. As usual, we do not recommend negotiating with cybercriminals.