Home / malware Trojan.Ransomcrypt.AC
First posted on 13 February 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.AC.
Explanation :
When the Trojan is executed, it checks for the presence of the Avast antivirus program on the computer.
Next, the Trojan creates the following file and sets the file's attributes to hidden: %AppData%\Locker.exe
The Trojan then creates the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"application" = "%AppData%\Locker.exe"HKEY_CLASSES_ROOT\".locked" = "locked_auto_file"HKEY_CLASSES_ROOT\locked_auto_file\shell\open\"command" = "%AppData%\Locker.exe %1"
Next, the Trojan generates a 20-character password and sends a message to the attacker over SMTP using the following details: SMTP server: auth.smtp.1and1.frSMTP credentials: bodreaux@sothis.fr:[OBFUSCATED PASSWORD]From: [COMPUTER NAME] bordeaux@sothis.frTo: brangiersimonalain@gmail.comSubject: New Client [UNIQUE ID] Body: Serial Number: [PASSWORD]
If the Trojan succeeds in sending this message, it then creates the following registry entries: HKEY_CURRENT_USER\Software\"Code" = "[PASSWORD]"HKEY_CURRENT_USER\Software\"1" = "1"
The Trojan then encrypts files on the compromised computer using the 3DES ECB algorithm. It uses the MD5 of the previously generated password to create the key.
The Trojan encrypts all files apart from system files and files within the %ProgramFiles% folder. The Trojan adds the .locked extension to the encrypted files and deletes the originals.
The Trojan also deletes the registry entry containing the password as its value.
The Trojan then periodically opens a text document with the ransom message written in French. The message tells the user that their files have been encrypted and that they need to pay ‚¬300 to decrypt them. It asks the user to pay by sending a PaySafeCard code to the attackers' email addresses.
The Trojan also displays a window which allows the user to decrypt their files once they've paid for the decryption key.Last update 13 February 2016