[FSec] Trojan:W32/Ransomcrypt

Newsfeed

Nachrichtenbote
We are receiving reports of a ransom trojan, it's been circulating during the last two days.

When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50€.

It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.

Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums.

Here's how encrypted files look once the trojan has done its work:

ransomcrypt_trojan_01.png


This is the content of the text file:

ransomcrypt_trojan_02.png


"Attention!"

ransomcrypt_trojan_03.png


The "Error!" message that you'll get if the wrong password is input:

ransomcrypt_trojan_04.png


Another error message, repeating the demands found in the .txt file:

ransomcrypt_trojan_05.png


The encryption used by this trojan is not as complex as some other ransomware we've analyzed, such as Gpcode. Investigations to determine if its encryption can be cracked are ongoing.

SHA1: b8f60c64c70f03c263bf9e9261aa157a73864aaf

Analysis by — K.M. Chang
On 12/04/12 At 12:47 PM

Weiterlesen...
 
Hallo,

leider habe ich seit heute auch diese Problem. Alle meine jpg, bmp, pdf, doc Datein kann ich nicht mehr aufrufen. Wer kann denn helfen. Gibt es die Möglichkeit, die Daten zu reparieren?

Gruß

Günther
 
Zurück
Oben