Flocker

Flocker Ransomware: What Is It?

Flocker, a ransomware strain discovered by the CyberDefenders Team in January 2023. It’s also known as “FlockCrypt” in underground forums. Flocker ransomware works by infiltrating systems and encrypting files with the extension “.flocked”, making the data inaccessible. After encryption, a ransom note, usually named “Recover-My-Files.txt”, is left in each affected folder. Flocker uses AES and RSA encryption to lock the files, embedding a unique decryption key into each file. To unlock your files, you’ll need the private decryption key from the attackers. It’s notorious for deleting shadow copies, preventing easy data recovery.

The ransom note demands a hefty payment and provides email contacts or Tor websites for further communication.

How Does Flocker Work?

Flocker ransomware attacks follow a structured, multi-phase process:

Phase 1: Initial Access

Flocker gains initial entry by exploiting phishing emails, RDP brute force, or vulnerabilities in unpatched software. Over 70% of infections are reported to originate from phishing campaigns.

Phase 2: Lateral Movement

Once inside, Flocker can spread across a network autonomously. It’s known for its worm-like spreading capabilities. Attackers use tools like Cobalt Strike or Mimikatz to escalate privileges and move deeper into the network. Flocker is skilled at disabling security services and masking its activity to avoid detection.

Phase 3: Encryption

After gaining full access, Flocker begins encrypting data, appending a unique decryption key to every file. Victims are then presented with a ransom note, demanding payment in cryptocurrency to retrieve their data. If no payment is made, Flocker’s operators often threaten to leak sensitive data.

Flocker Variants:

• Variant 1: “.flocked”
  The original Flocker variant, known for its rapid encryption speed and persistence techniques.
• Variant 2: “.flocktor”
  A more advanced version that includes debugging features to bypass antivirus systems and increases stealth.
• Variant 3: “.flocklock”
  This version uses Tor communication and comes with modified ransom notes, pushing for quicker payments.

How to Protect Yourself from Flocker:

• Strong Passwords: Use complex passwords and rotate them regularly.
• Enable Multi-Factor Authentication (MFA): Add an extra layer of security to all critical systems.
• Review User Permissions: Limit access to sensitive data and critical systems to only necessary personnel.
• Remove Old and Unused Accounts: Keep your network clean by disabling unused accounts.
• Secure System Configurations: Regularly audit and update security configurations.
• Regular Backups: Always maintain offsite backups to mitigate data loss.
• Comprehensive Cybersecurity: Invest in tools that can detect and neutralize threats in real-time.

What To Do If You’re Infected by Flocker:

• Don’t Panic! Stay calm and follow a structured response plan.
• Isolate Affected Devices: Disconnect the infected systems from the network immediately to prevent further spread.
• Notify Your IT Provider: They will help assess the situation and guide the recovery process.
• Consult an Expert: Seek advice from a cybersecurity professional to assist with the situation.

Conclusion

To defend against Flocker ransomware, always stay vigilant with strong security practices, maintain offline backups, and consider investing in a solid cybersecurity infrastructure. Prevention is far more cost-effective than recovery.