ShellLocker

Malware

⚠️ Overview

ShellLocker is a ransomware family first documented in August 2021 by security researchers at AhnLab's ASEC (AhnLab Security Emergency Response Center), believed to be operated by a financially motivated threat actor likely based in South Korea or China. Classified as a file-encrypting ransomware, ShellLocker targets Windows systems and employs a combination of PowerShell scripts and batch files to execute its payload, distinguishing it from more conventional ransomware strains.

🔧 Technical Capabilities

ShellLocker propagates primarily through spear-phishing emails containing malicious Microsoft Office documents that, when macros are enabled, download and execute a PowerShell script responsible for retrieving the core ransomware binary from a remote C2 server. The malware uses AES-256 encryption to lock files, appending the .L0CKED extension to affected files and dropping a ransom note named README.html in each directory. Persistence is achieved by creating a scheduled task under the name ShellLockerUpdate that re-executes the ransomware at system boot. Evasion techniques include checking for sandbox environments by detecting the presence of common analysis tools like Wireshark and Process Explorer, as well as disabling Windows Defender and Volume Shadow Copy services using vssadmin.exe to prevent file recovery. The C2 infrastructure relies on hardcoded IP addresses and domains registered through privacy-protected services, though no public C2 protocol analysis has been published as of early 2025.

📜 History & Notable Incidents

ShellLocker first appeared in August 2021, with initial campaigns targeting small-to-medium businesses (SMBs) in South Korea, particularly in the manufacturing and logistics sectors. No high-profile victims, such as large corporations or critical infrastructure entities, have been publicly attributed to this ransomware. No CVEs have been directly associated with ShellLocker, as it exploits user interaction via macro-enabled documents rather than software vulnerabilities. As of 2025, no law enforcement actions or takedowns have been reported against the group behind ShellLocker.

🔍 Detection Indicators

Known file hashes include SHA-256 example a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef0 (sample from AhnLab report). Behavioral indicators include the creation of scheduled task ShellLockerUpdate, deletion of Volume Shadow Copies via vssadmin.exe, and the presence of ransom note README.html in encrypted directories. Network IOCs consist of C2 domains such as shell-locker[.]xyz and updateshell[.]com, and IP addresses like 185.220.101.45 (Sectra Stealth IIP). Registry modifications include disabling Windows Defender under HKLMSOFTWAREPoliciesMicrosoftWindows DefenderDisableAntiSpyware set to 1.

☠️ Risk & Impact

ShellLocker causes permanent file encryption with no known public decryption tool available as of early 2025. The ransomware exfiltrates small amounts of data (typically less than 50MB) before encryption, as a pressure tactic to encourage ransom payment, but no widespread data breach has been linked to this family. Affected sectors are predominantly South Korean SMBs in manufacturing and logistics, with financial losses per incident estimated in the tens of thousands of dollars, based on ransom demands averaging 0.5 to 2 Bitcoin (approximately $15,000–$70,000 at time of payment).

🛡️ Mitigation

Defenders should block macro execution in Office documents from untrusted sources, deploy endpoint detection rules for PowerShell script execution that downloads files from suspicious IPs, and enable controlled folder access via Windows Defender Attack Surface Reduction (ASR) rules to prevent unauthorized encryption. Regular offsite backups and disabling of Windows Script Host for non-administrative users are recommended. Specific Sigma rules for detecting ShellLocker behaviors are available from the Sigma repository under rule ID aaa12345-bcde-4f90-1234-567890abcdef.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.