Home / malware Ransom:Win32/Orxlocker.A
First posted on 01 October 2015.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Orxlocker.A.
Explanation :
Threat behavior
Installation
This threat can arrive as part of a phishing email or as a payload by other malware.
Payload
Encrypts your files
Once it establishes a connection with its C2 server, it commences to look for files to encrypt.
This threat can search your PC for any files with the following extensions:
- .7z
- .avi
- .doc
- .docm
- .docx
- .dwg
- .gif
- .jpe
- .jpeg
- .jpg
- .key
- .m4v
- .mkv
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .php
- .png
- .ppt
- .pptx
- .psd
- .pst
- .QBB
- .QBW
- .QDB
- .rar
- .raw
- .rtf
- .ssh
- .tc
- .txt
- .vbox
- .vdi
- .vhd
- .vmdk
- .wmv
- .wpd
- .wps
- .xls
- .xlsx
- .zip
This threat avoids encrypting files from these paths:
- C:\$Recycle.Bin
- C:\DELL
- C:\DRIVERS
- C:\NVIDIA
- C:\Program Files (x86)
- C:\Program Files
- C:\ProgramData
- C:\SWSETUP
- C:\Windows.old
- C:\Windows
It drops the ransom note Payment.htm on the desktop with instructions on how to retrieve the key for the encrypted files:
Analysis by Marianne Mallen
SymptomsThe following can indicate that you have this threat on your PC:
- You see this message instead of your wallpaper:
Last update 01 October 2015
