Home / malware Trojan.Ransomcrypt.AB
First posted on 29 January 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.AB.
Explanation :
When the Trojan is executed, it creates the following file: %SystemDrive%\RECYCLER\sunset.jpg
Next, the Trojan overwrites %System%\sethc.exe with %System%\cmd.exe
The Trojan then displays the following application, which contains a list of file types to encrypt. The Trojan only runs its encryption routines when someone operates the application.
Once this occurs, the Trojan encrypts files with the following extensions: .crypt.*db.001.1.1cd.2.7z.9.accdb.ai.bak.back.backup.bk*.bk.bmp.cbf.cdr.cdx.cer.crt.cf.cfg.cr2.csv.dat.db*.dd.dmp.doc.docx.dt.efd.epf.eps.erf.ert.evt.ffdata.fxp.gbk.glf.gzip.i01.iar.img.iso.jpeg.jpg.key.lck.ldf.lgf.lic.license.mb.md*.mokesi.mxfd.mxl.odt.pbd.pdf.pf.pfx.png.ppt.psd.pst.rar.rpt.rtf.sql.sdm.tar.tib.tif.tiff.xlk.xls.xml.xlsx.zip.zur
The Trojan then appends "LeChiffre" to the names of encrypted files.
Next, the Trojan creates the following files: [PATH TO ENCRYPTED FILES]\_secret_code.txt[PATH TO ENCRYPTED FILES]\_How to decrypt LeChiffre files.html
The .html file contains a ransom note, which informs the user that their files have been encrypted. The message asks the user to email the attacker with [PATH TO ENCRYPTED FILES]\_secret_code.txt and two encrypted files as attachments. The note claims that once the user does this, the attacker will send them instructions on how to receive the decrypter.
The Trojan then connects to [http://]184.107.251.146/sipvoi[REMOVED] and sends the following information: Computer nameUser nameDate when the Trojan was executedSecret codeEmail address shown in the ransom noteNumber of encrypted filesLast update 29 January 2016