Home / malware

PDF

Trojan.Ransomcrypt.V

First posted on 11 November 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Ransomcrypt.V.

Explanation :

When the Trojan is executed, it contacts the following location to obtain the user's IP address:
bot.whatismyipaddress.com
The Trojan sends out a bitmessage to a remote location chosen by the attacker with the following information:
Name of the user's computerEncryption key for the user's files
The Trojan searches the compromised computer for files with the following extensions, deletes the original versions, and replaces them with encrypted versions ending in .crypt:
.txt.doc.docx.docm.odt.ods.odp.odf.odc.odm.odb.rtf.xlsm.xlsb.xlk.xls.xlsx.pps.ppt.pptm.pptx.pub.epub.pdf.jpg.jpeg.xml.xsl.wps.cmf.vbs.accdb.ini.cdr.svg.conf.config.wb2.msg.azw.azw1.azw3.azw4.lit.apnx.mobi.p12.p7b.p7c.pfx.pem.cer.key.der.mdb.htm.html.class.java.cs.asp.aspx.cgi.php.jsp.bak.dat.pst.eml.xps.sqllite.sql.js.jar.py.wpd.crt.csv.prf.cnf.indd.number.pages.x3f.srw.pef.raf.orf.nrw.nef.mrw.mef.kdc.dcr.crw.eip.fff.iiq.k25.crwl.bay.sr2.ari.srf.arw.cr2.raw.rwl.rw2.r3d.3fr.ai.eps.pdd.dng.dxf.dwg.psd.ps.png.jpe.bmp.gif.tiff.gfx.jge.tga.jfif.emf.3dm.3ds.max.obj.a2c.dds.pspimage.yuv.3g2.3gp.asf.asx.mpg.mpeg.avi.mov.flv.wma.wmv.ogg.swf.ptx.ape.aif.wav.ram.ra.m3u.movie.mp1.mp2.mp3.mp4.mp4v.mpa.mpe.mpv2.rpf.vlc.m4a.aac.aa.aa3.amr.mkv.dvd.mts.qt.vob.3ga.ts.m4v.rm.srt.aepx.camproj.dash.zip.rar.gzip.vmdk.mdf.iso.bin.cue.dbf.erf.dmg.toast.vcd.ccd.disc.nrg.nri.cdi
The Trojan creates the following file in any directory with a file it encrypted:
YOUR_FILES_ARE_ENCRYPTED.HTML
The Trojan opens one of these files in Internet Explorer's kiosk mode and displays the following ransom demand:

Last update 11 November 2015

 

TOP