Item #: SCP-XXXX

Object Class: Safe

Special Containment Procedures: A copy of SCP-XXXX-A is to be kept on a USB drive located in a standard containment locker in Site-15. Testing of SCP-XXXX-A may occur only with written approval from, and subject to guidelines provided by, the Records and Information Security Administration (RAISA). Foundation webcrawlers are to monitor information security-related blogs and the social media accounts of security researchers for mentions of the string "EntropyLock" or any reports of malware resembling SCP-XXXX-A.

A copy of SCP-XXXX-B is to be kept on a USB drive located in a standard containment locker in Site-15. SCP-XXXX-B shall be removed from this containment locker only during testing of SCP-XXXX-A.

SCP-XXXX-C instances shall undergo standard information review/redaction processes when discovered. Instances that have been deemed or rendered acceptable for release are to be stored in a dedicated subdirectory on the Site-15 general network share. Access to the subdirectory shall be restricted to Foundation personnel of level 3 or above, or to level 2 personnel who have been certified for research into multiversal anomalies.

SCP-XXXX-D is to be monitored by embedded Foundation operatives; should any software with behavior similar or identical to that of SCP-XXXX-A attempt to connect, Mobile Task Force Mu-4 ("Debuggers") shall be dispatched to the physical location corresponding to the origin address for purposes of investigation and/or containment. The routing tables for Site-15 network infrastructure devices shall be configured to route any packets with a destination address of SCP-XXXX-D to a RAISA network monitoring system unless otherwise required for testing purposes.

Description: SCP-XXXX is the collective designation for an anomalous malware application called "EntropyLock", and certain files produced by it.

SCP-XXXX-A is the designation for the malware application proper. SCP-XXXX-A is a Windows application that functions similarly to non-anomalous ransomware1 in its operation; however, when it attempts to encrypt files that contain certain binary strings, these files will become instances of SCP-XXXX-C upon decryption. (See Document XXXX-3 for a full list of strings known to cause SCP-XXXX-C instances to occur.) While still encrypted by SCP-XXXX-A, files meeting any of the above conditions will display no anomalous properties.

Reverse engineering of SCP-XXXX-A has shown that it utilizes a non-standard cryptosystem when encrypting and decrypting files. This cryptosystem appears to utilize a form of asymmetric cryptography much like RSA, but the mathematics involved appear fundamentally self-contradictory. Attempts to analyze the cryptosystem itself have met with minimal success.

SCP-XXXX-A will shut down prior to encrypting any files if it determines that it is being run on a computer system physically located within the borders of the Russian Federation, or if the system language is set to Russian.

SCP-XXXX-B is the designation for the command and control server utilized by SCP-XXXX-A to retrieve decryption keys once it confirms remittance of the ransom payment. It is not considered to be anomalous.

SCP-XXXX-C is the designation for files that have been encrypted and subsequently decrypted by the SCP-XXXX-A cryptosystem and contained any of the binary strings listed in Document XXXX-3 prior to encryption. SCP-XXXX-C instances are anomalously altered variations on the original file, the contents of which bear a thematic resemblance to the original in nearly all situations. At least 60% of SCP-XXXX-C instances are believed to contain data originating from an alternate universe or universes.

The full SCP-XXXX-C instance log is available from the SCP-XXXX research lead upon request.

SCP-XXXX-D is the designation for IPv4 address assigned to SCP-XXXX-B prior to containment. It is not considered to be anomalous.

History: SCP-XXXX was first encountered when it was uploaded to a Project Aristaeus45 honeypot server on 201█-██-██, ██:██ UTC. According to server logfiles, a remote attacker connected through what was later determined to be an open proxy located in Latvia and attempted to use the Aristaeus server to mail a PDF document containing SCP-XXXX-A to officials of the United States ██████████ █████ before disconnecting from the server. The attacker was eventually identified as █████ ████████████, a Russian national suspected of having FSB ties. Interrogation of ████████████ revealed that he created the SCP-XXXX-A cryptosystem due to a distrust of publicly known ones, but despite this had no knowledge of SCP-XXXX's anomalous properties nor any intent to create such. ████████████ was administered Class B amnestics and released from custody.

Addendum: Researcher's Note (Level 2 Clearance Required)