Home / malware Ransom:PowerShell/Roduk.A
First posted on 13 June 2019.
Source: MicrosoftAliases :
Ransom:PowerShell/Roduk.A is also known as Trojan-Ransom.Win32.ElPolock.a, PowerShell/Filecoder.A, TROJ_CRYPOLLO.A, Trojan.Cryptolocker.S.
Explanation :
Installation
This threat is a malicious Windows PowerShell script that can be downloaded by TrojanDownloader:PowerShell/Roduk.A.
It can create the following files on your PC:
c:1locked.bmp - ransom wallpaper image c:1
eflect.dll - detected as Ransom:Win32/Roduk.A!dll c:1 .dll - detected as Ransom:Win32/Roduk.A!dll %desktop%encrypted.htm - list of encrypted files %desktop%qwer.html - ransom html page %desktop%qwer2.html - ransom html page Payload
Encrypts your files
This threat can search your PC for any files with the following extensions:
.ai .crt .csv .db .doc .docm .docx .dotx .gif .jpeg .jpg .lnk .mp3 .msi .ods .one .ost .p12 .pdf .pem .pps .ppsx .ppt .pptx .psd .pst .pub .rar .raw .rtf .tif .txt .vsdx .wma .xls .xlsm .xlsx .xml .zip
It encrypts any files that it finds and displays the following messages:
Deletes backup files
This threat also tries to stop you from restoring your files from backup. It does this by:
Deleting shadow files to prevent you from restoring your files from a local backup Disabling Startup Repair and Windows Error Recovery on system startup Disabling System Restore
Analysis by Jireh SanicoLast update 13 June 2019
