Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

WinLocker

WinLocker is a Windows lockscreen malware component observed as part of a multi-stage malware campaign reported by FortiGuard Labs/Fortinet analysts. In the documented activity, initial access relied on social engineering: business-themed lure documents delivered in compressed archives containing malicious LNK shortcut files disguised as normal documents. Executing the shortcut launched PowerShell with execution-policy bypass to download an obfuscated first-stage loader from GitHub, while decoy documents were displayed to distract the victim. The broader campaign abused legitimate Windows functionality and public cloud services such as GitHub and Dropbox rather than exploiting software vulnerabilities, and included extensive defense evasion such as registering a fake antivirus product to disable Microsoft Defender, modifying registry settings, disabling administrative tools, and impairing recovery by disabling Windows Recovery Environment, deleting backup catalogs, and removing Volume Shadow Copies. Within this payload set, WinLocker enforced complete desktop or system lockout, displayed Russian-language ransom demands, and in some reporting showed countdown timers intended to pressure victims into contacting the attacker for ransom negotiation. It was deployed alongside other malware including Amnesia RAT and Hakuna Matata ransomware, indicating use in financially motivated extortion activity against Windows users. High-confidence behaviors directly attributed to WinLocker in the provided content are system/desktop lockout, Russian-language ransom messaging, and countdown-based coercion.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
techrepublic com securityNews
Jan 23, 2026
Hackers Disable Windows Security With New Malware Attack - TechRepublic

Locker-style payload that prevents normal desktop access (screen/desktop lockout) and presents ransom demands (noted as Russian-language).

Read more
cyber security newsNews
Jan 22, 2026
New Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads

System-locking component that blocks access to the system and displays countdown timers to pressure victims into ransom negotiation; used alongside file-encrypting ransomware.

Read more
vmware security blogNews
Nov 12, 2025
Stacking Your Defenses: Integrating Advanced Threat Prevention and SIEM

Winlocker is a type of ransomware that locks the victim's system or files and demands payment for restoration.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.