Cockblocker / CockLocker Ransomware

Forum for analysis and discussion about malware.
Post Reply
Posts: 6
Joined: Mon Feb 08, 2016 8:11 pm

Cockblocker / CockLocker Ransomware

Post by 711PartTimeJob » Tue Nov 29, 2016 9:51 pm

A new ransomware in development has been found called "cockblocker" or sometimes "cocklocker". It encrypts files using RSA-2048 and renames them to a .hannah extension. Currently demands 1 BTC and displays a very ugly lock screen as seen here:
You do not have the required permissions to view the files attached to this post.

User avatar
Posts: 43
Joined: Thu Oct 29, 2015 1:09 am

Re: Cockblocker / CockLocker Ransomware

Post by p1nk » Thu Dec 01, 2016 2:54 am

C2 server is: ws://

If you follow WHOIS data and bounce around a bit, you can find some links to

GET /rs HTTP/1.1
User-Agent: websocket-sharp/1.0
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: TQAYVC2FuB/7rRtmYE3QAw==
Sec-WebSocket-Version: 13

User avatar
Posts: 99
Joined: Fri Jun 28, 2013 6:51 pm

Re: Cockblocker / CockLocker Ransomware

Post by TETYYSs » Fri Dec 09, 2016 6:05 pm

Posts: 1
Joined: Sat Mar 04, 2017 11:42 pm

Re: Cockblocker / CockLocker Ransomware

Post by huehuehuehue » Sun Mar 05, 2017 8:31 pm

This just was made for Danooct1's User Made Malware series
To decrypt files enter "not_a_backdoor"

Post Reply