Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
TypeRansomware, Trojan
CreatorKrystofoxik :^)
DateMarch 22nd, 2018
Programming LanguageAssembly
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
This box: view  talk  edit

EggLocker is a ransomware that encrypts files. It was created in Assembly just like other ransomwares. EggLocker was designed to attack computer users in Czech-speaking regions due to the content and document associated with EggLocker attack.

However, this cyber threat is more of a joke than a real ransomware virus. It does not actually encrypt data; it only renames copied files.


EggLocker runs as an executable named 'EGG.exe' on the targeted computers. EggLocker will rename the files it affects by adding the file extension '.EGG' to the end of each affected file's name. EggLocker infection has been linked to a fake DirectX notification, which claims that this application encountered a problem and needs to close, which aids EggLocker in its attack. 

The following are some of the file types that are typically encrypted in these attacks:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, 
.as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, 
.dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, 
.dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, 
.indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, 
.max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, 
.pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj,
.pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, 
.py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, 
.sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, 
.wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, 
.xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

EggLocker can still make some changes to the system and make it vulnerable to other cyber threats. Additionally, it might be updated any minute and start functioning as a real crypto-malware. Hence, immediate elimination is needed.

Egglocker would kill Skype just like some other ransomwares

Soon after making a mess with files on the targeted computer, EggLocker changes the desktop picture and tries to threaten victims into paying a ransom:


Your files has been locked due evil 
chicken, your only way to get them 
back is pay for chicken killers.

Bitcoin address: [redacted]

Any tries to remove chicken will just damage your files.
Be carefully with your decisions.

Malware continues pretending ransomware behavior and also creates a ransom note in the text file. However, the author of malware forgot to tell the size of the ransom:

Your Windows might not support this software
Chicken has just awoken!
Your pc has to pay for all files otherwise
small chicken is going to eat them all!
There is no way to kill chicken.
Your attack means her respond

When the victims close the fake DirectX notification, the website 'chickenluck.win' will be loaded automatically on their Web browser. This website is dedicated to a person named 'Krysto Foxik' with several social media and website accounts. It is unclear if the person featured in this page is involved in the EggLocker attack directly or if it is an individual that has been chosen by the people responsible for EggLocker as part of their infection.