Home / malware Trojan.Ransomcrypt.T
First posted on 05 June 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.T.
Explanation :
When the Trojan is executed, it creates the following files: %Windir%\csrss.exe%Temp%\lock%Temp%\state%UserProfile%\Application Data\[RANDOM CHARACTERS].bmp
Next, the Trojan creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Client Server Runtime Subsystem" = "%Windir%\csrss.exe"
The Trojan then connects to the following remote locations: [http://]gxyvmhc55s4fss2q.onion/reg[REMOVED][http://]gxyvmhc55s4fss2q.onion/prog[REMOVED][http://]gxyvmhc55s4fss2q.onion/err[REMOVED][http://]gxyvmhc55s4fss2q.onion/cmd[REMOVED][http://]gxyvmhc55s4fss2q.onion/sys[REMOVED]
Next, the Trojan searches for files stored on fixed drives, removable drives, and remote drives. It then encrypts files with the following extensions and renames the files to [FILE NAME].xtbl: .1cd.3ds.3fr.3g2.3gp.7z.accda.accdb.accdc.accde.accdt.accdw.adb.adp.ai.ai3.ai4.ai5.ai6.ai7.ai8.anim.arw.as.asa.asc.ascx.asm.asmx.asp.aspx.asr.asx.avi.avs.backup.bak.bay.bd.bin.bmp.bz2.c.cdr.cer.cf.cfc.cfm.cfml.cfu.chm.cin.class.clx.config.cpp.cr2.crt.crw.cs.css.csv.cub.dae.dat.db.dbf.dbx.dc3.dcm.dcr.der.dib.dic.dif.divx.djvu.dng.doc.docm.docx.dot.dotm.dotx.dpx.dqy.dsn.dt.dtd.dwg.dwt.dx.dxf.edml.efd.elf.emf.emz.epf.eps.epsf.epsp.erf.exr.f4v.fido.flm.flv.frm.fxg.geo.gif.grs.gz.h.hdr.hpp.hta.htc.htm.html.icb.ics.iff.inc.indd.ini.iqy.j2c.j2k.java.jp2.jpc.jpe.jpeg.jpf.jpg.jpx.js.jsf.json.jsp.kdc.kmz.kwm.lasso.lbi.lgf.lgp.log.m1v.m4a.m4v.max.md.mda.mdb.mde.mdf.mdw.mef.mft.mfw.mht.mhtml.mka.mkidx.mkv.mos.mov.mp3.mp4.mpeg.mpg.mpv.mrw.msg.mxl.myd.myi.nef.nrw.obj.odb.odc.odm.odp.ods.oft.one.onepkg.onetoc2.opt.oqy.orf.p12.p7b.p7c.pam.pbm.pct.pcx.pdd.pdf.pdp.pef.pem.pff.pfm.pfx.pgm.php.php3.php4.php5.phtml.pict.pl.pls.pm.png.pnm.pot.potm.potx.ppa.ppam.ppm.pps.ppsm.ppt.pptm.pptx.prn.ps.psb.psd.pst.ptx.pub.pwm.pxr.py.qt.r3d.raf.rar.raw.rdf.rgbe.rle.rqy.rss.rtf.rw2.rwl.safe.sct.sdpx.shtm.shtml.slk.sln.sql.sr2.srf.srw.ssi.st.stm.svg.svgz.swf.tab.tar.tbb.tbi.tbk.tdi.tga.thmx.tif.tiff.tld.torrent.tpl.txt.u3d.udl.uxdc.vb.vbs.vcs.vda.vdr.vdw.vdx.vrp.vsd.vss.vst.vsw.vsx.vtm.vtml.vtx.wb2.wav.wbm.wbmp.wim.wmf.wml.wmv.wpd.wps.x3f.xl.xla.xlam.xlk.xlm.xls.xlsb.xlsm.xlsx.xlt.xltm.xltx.xlw.xml.xps.xsd.xsf.xsl.xslt.xsn.xtp.xtp2.xyze.xz.zip
The Trojan then drops the following file in each folder that has encrypted files: [PATH TO ENCRYPTED FILES]\README[RANDOM NUMBER].txt
The Trojan then changes the desktop image to a picture of the ransom demand in Russian and English. The demand tells the user that their files are encrypted and asks the user to open [PATH TO ENCRYPTED FILES]\README[RANDOM NUMBER].txt to get more information:Last update 05 June 2015