ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Analyst On Demand
Incident Response
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Unlocking Ransomware: Tools for Analyzing and Decrypting Windows Locker
2025.03.28

✅ Report Title:


Unlocking Ransomware: Tools for Analyzing and Decrypting Windows Locker



The S2W Threat Intelligence Center has published a report on the analysis and decryption of Windows Locker ransomware. This is an advanced threat intelligence report that provides access to the Windows Locker decryption tool.



✅ Executive Summary:


1. Introduction


S2W’s Threat Intelligence Center (TALON) has continuously tracked ransomware campaigns emerging in 2025. Among the ransomware strains identified this year, we discovered that Windows Locker ransomware is decryptable, and we have developed a custom decryption tool based on its analysis.



2. Windows Locker


Windows Locker is a malware written in .NET. The presence of Spanish-language code suggests that the developer is likely a Spanish speaker.



3. Encryption Flaw


The AES key and IV used for file encryption are generated through the PBKDF2 algorithm. However, the derived key and IV are also fixed due to the use of fixed salt values, iteration count, and input.



4. Conclusion


By leveraging this critical flaw in the encryption routine, we developed a decryption tool for Windows Locker, which is expected to play a significant role in restoring files on systems affected by the ransomware.



📌 What is the decryption logic?


The AES key is generated using the PBKDF2 algorithm during the encryption process. At the point where the PBKDF2 algorithm generates a 48-byte random value, the salt, iteration count, and input are all hardcoded and fixed. This results in the AES key (32 bytes) and IV (16 bytes) being the same across all encrypted files.


- salt: 3, 4, 2, 6, 5, 1, 7, 8

- Iteration: 1000

- Input: SHA256(’1337’)


By exploiting these characteristics, S2W Threat Intelligence Center has developed a decryption tool capable of recovering files encrypted by Windows Locker. This tool, which can be found in the link below, is expected to be instrumental in restoring files on compromised systems.

https://bit.ly/4c4QbdM



✅ Recommended Threat Detection and Mitigation Actions:


- The S2W Threat Intelligence Center continuously tracks new ransomware and has discovered a decryptable ransomware through analysis.

- Windows Locker is a malware written in .NET, and the inclusion of Spanish in the code suggests that it was developed by a Spanish-speaking developer.

- The presence of incomplete components, such as the C2 connection address, indicates the possibility of future updates.

- Since the AES key and IV values used for file encryption in this ransomware are fixed, we have developed a decryption tool by leveraging this cryptographic flaw.

- Detailed analysis images and the full source code can be accessed in English via the link below.



🧑‍💻 Author: S2W TALON (Updated. 2025-03-26)


👉 Read the full report: https://bit.ly/3XygdQF


*The full report is available upon request.


News Highlights
Weekly Darkweb in March W4
2025.03.26
Previous
AI Trends
How Functional Features Are Shaping the Future of AI
2025.04.01
Next
List