Purelocker multi-os ransomware targeting servers readerheart

The PureLocker ransomware is a new threat that targets Linux servers. It encrypts data using AES algorithms with 256-bit encryption keys and uploads the files to its command-and-control server. The botnet used by this malware has been active since 23rd Jan 2021, targeting mainly Linux-based infrastructure, but it can also affect Windows and macOS systems too.

Like other ransomware threats, this one tries to lock users out of their computers until they pay a ransom in order to get access back without having their data decrypted by the attacker’s team of cybercriminals.


PureLocker is a ransomware which attacks Linux systems

PureLocker is a ransomware which attacks Linux systems. It is written in the purebasic and reported on 25th Jan 2021. The purelocker is a multi OS ransomware which targets Windows, Linux and macOS servers, even though this attack was mainly focused on Linux-based servers.

The first thing to do after getting infected with this malware is a good backup of your computer files as well as any important data stored on it. Once you’ve done that you should scan your system for viruses with antivirus software such as Malwarebytes Anti-Malware or Malicious Software Removal Tool (MSRT).

PureBasic is a programming language that was created in 1987. It is not considered to be malware, but rather an application programming language (APL). The creator of this language has stated that it’s only used for writing small apps and games.

PureLocker supports encryption of files on both Windows and Unix-like systems.

The ransomware has a command-line interface that can be used to encrypt files, delete them or remove the data itself from their host systems. The command line interface allows you to specify if you want your encrypted file(s) or folder(s) encrypted using AES 256 bit encryption keys (the default). You may also change these settings at any time by using this tool called “Change Patterns Key.”

The malware’s goal

The malware’s goal is to encrypt data on a server, including SSH keys, SSL certificates, and other information found on the host. It may also encrypt files locally stored on drives connected with USB sticks or hard disks.

The malware uses AES256 encryption algorithm and it has two modes of operation: silent mode (which keeps the system from being affected) and alerting mode (which alerts you about what happened). In both cases it will not stop after encryption unless you pay extra money for unlocking your files.

The malware is designed

The malware is designed to encrypt the data using AES algorithms with a 256-bit encryption key. The malware generates a random 256 bit key for each file it encrypts and then uses AES with the same key to encrypt that file.

The above method of encryption is called “permute-based”. This means that instead of using one big key, there are multiple smaller keys used in conjunction with each other to create one big 128 bit or 256 bit encryption key.

The data it enciphers are stored in files like (…..)

The data it enciphers are stored in files like (…..)

The data is encrypted using AES algorithms with a 256-bit encryption key. The file size of the file is only 1KB, which means that even if you have an antivirus software installed on your computer, it cannot detect this file as malicious and will not be able to remove it from your system.

It also collects the server’s public IP address and tries to connect to the website in order to get its public IP address via an HTTP GET request.

It then uses this information along with a list of other commands it has gathered from its previous attacks, which include:

  • Instructions on how to encrypt files on local drives or network shares; these instructions are not specific enough for us at Imminent Threat Solutions (ITS) Labs to determine if they were included in any other attacks we have seen before. The only thing that stands out is that it mentions creating a new folder within one called “encrypted_data” and placing them there so they would be accessible once encrypted – but this could also mean anything else depending on what kind of encryption algorithm used by this ransomware strain might require first.

The malware encrypts files with the extension .purelocker for example (…..)

The Ransomware has been seen targeting servers in different countries, including Russia and UK.

It will eventually upload these files to its command-and-control server.

After encrypting the files, it will upload them to its command-and-control server. The server is hosted in the Tor network, which uses encryption and anonymity to protect users’ identities and locations. You can visit this URL: https://purelocker[.]pw

Be careful about opening untrusted files or links

The Locky ransomware family has been spreading via email since early 2017. This means that if you receive an email with a malicious attachment or link, it’s likely that your machine will become infected in seconds.

If you see a suspicious file attached to an email and don’t know what it is, do not open it! It could be part of the Locky ransomware family and should be avoided at all costs.

It is also important to remember that even if someone sends you a file as an attachment through their own website or social media accounts (like Dropbox), they may still be infected with Locky because they may have shared files with other people who then infected those devices themselves—meaning there are many potential ways for this malware package to spread further into networks around the world!


It is a multi-OS ransomware that encrypts files on Linux-based systems. It also collects the server’s public IP address and tries to connect to the website “http://ipinfo[.]io/ip” in order to get its public IP address via an HTTP GET request. The malware uses AES algorithms with a 256-bit encryption key and stores encrypted data in files like (…..).

Also Read