Unlocking Ransomware: Tools for Analyzing and Decrypting Windows Locker

Author: HuiSeong Yang | S2W TALON

Last Modified : Mar 26, 2025

Photo by Hennie Stander on Unsplash

Executive Summary

• (Introduction) S2W’s Threat Intelligence Center (TALON) has continuously tracked ransomware campaigns emerging in 2025. Among the ransomware strains identified this year, we discovered that Windows Locker ransomware is decryptable, and we have developed a custom decryption tool based on its analysis.
• (Windows Locker) Windows Locker is a malware written in .NET. The presence of Spanish-language code suggests that the developer is likely a Spanish speaker.
• (Encryption Flaw) The AES key and IV used for file encryption are generated through the PBKDF2 algorithm. However, the derived key and IV are also fixed due to the use of fixed salt values, iteration count, and input.
• (Conclusion) By leveraging this critical flaw in the encryption routine, we developed a decryption tool for Windows Locker, which is expected to play a significant role in restoring files on systems affected by the ransomware.

Key Features

On January 28, 2025, CYFIRMA released a brief analysis report on a ransomware strain called Windows Locker. This ransomware is written in .NET, and based on the presence of Spanish language in the code, it is presumed to have been developed by a Spanish-speaking individual.

Flag

Different functionalities are controlled through specific flags, with the flag values written in Spanish. The program’s flow is controlled using the Spanish words “no” (No) and “si” (Yes).

Flag Initial Value Description a no A flag to monitor the network connectivity status of the system

Table 1. Initial value for each flag

Persistence

In the inicio_void method, the malware performs a self-replication process and reads the uac_location file located in the %Appdata% directory. When the a3 flag is active, it registers itself in the Run registry key under %LocalAppData%\\discord.exe. Additionally, it copies itself to %LocalAppData%\\discord.exe, ensuring it is automatically executed on system startup.

• Registry Path: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
• Key: discord
• Value: %LocalAppData%\\discord.exe

C2 Connect

The malware generates a 40-byte random ID and sends system information — including the ID, Username, MachineName, Date, and IP address — to a C2 server via the conectar() method. The data is sent using the data.php?info= parameter. It is also observed to receive additional data through data.txt. The domain used for communication is currently example.com, suggesting that the C2 infrastructure is still under development.

File Encryption

File encryption is performed using AES-CBC. A hardcoded string, “MTMzNw==”, is decoded from Base64 and hashed using SHA256. The resulting value is used as input for PBKDF2 with the following fixed parameters:

Figure 1. PBKDF2-derived key and IV extraction from 48-byte output

From the 48-byte output, the first 32 bytes are used as the AES key, and the remaining 16 bytes are used as the IV.

The ransomware targets specific directories for encryption, as shown below:

Table 2. Directory to be encrypted

After encryption, the malware appends the .winlocker extension to the affected files and creates a ransom note named README.txt in each encrypted directory. The ransom note instructs victims to join a Discord server to retrieve their decryption key. However, the Discord server is currently inaccessible.

• Discord: https[:]//discord[.]gg/dA6NvkMH

Change Desktop Background

Once encryption is complete, the fond2() method changes the desktop wallpaper. It first saves the current wallpaper as fondo_antiguo.jpg in the %Appdata% directory. Then, it attempts to set the wallpaper to image.jpg located in the Pictures directory. If image.jpg does not exist, it loads an embedded resource image (wallpaper_jpg), saves it as image[random 30 bytes].jpg in the Pictures directory, and sets it as the new wallpaper.

Although the method accepts a parameter “a”, it is unused in the current implementation, suggesting that this function may still be under development.

Additionally, the percodigo() method accesses a specific link that displays the same image used for wallpaper (wallpaper_jpg).

• Image Link: https[:]//y2kid[.]xyz/mainpage/internets.jpg

Figure 2. Changed desktop image

Empty RecycleBin

The ransomware uses SHEmptyRecycleBin() to empty the Recycle Bin.

System Disable

The malware weakens system defenses by modifying registry entries to disable Windows Defender, Task Manager, system hotkeys, and all firewall profiles.

Table 3. System Disable command

Delete Backup

The borrar() method deletes Volume Shadow Copies and backup catalogs to prevent file recovery.

Table 4. Backup delete command

Self Delete

The autodestruir() method performs self-deletion of the ransomware. It also reads the %Appdata%\\uac_location file and deletes all paths listed in it.

Decryption Logic

The AES key is generated using the PBKDF2 algorithm during the encryption process. At the point where the PBKDF2 algorithm generates a 48-byte random value, the salt, iteration count, and input are all hardcoded and fixed. This results in the AES key (32 bytes) and IV (16 bytes) being the same across all encrypted files.

• Salt: 3, 4, 2, 6, 5, 1, 7, 8
• Iteration count: 1000
• Input: SHA256('1337')

By exploiting these characteristics, S2W Threat Intelligence Center has developed a decryption tool capable of recovering files encrypted by Windows Locker. This tool, which can be found in Appendix B, is expected to be instrumental in restoring files on compromised systems.

Appendix A. IoCs

IoC list is available on the S2W-TALON GitHub repository

Appendix B. Decryption Tools

Decryption Tool can be found on the S2W-TALON GitHub repository