Home / malware Ransom:Win32/WinPlock.A
First posted on 12 November 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/WinPlock.A.
Explanation :
Installation
This ransomware drops a copy itself:
- %APPDATA% \WinCL\wincl.exe
It creates the following file, which it uses to delete the executed copy:
- %APPDATA% \1.bat
It also creates the following file, which lists the files it encrypts during its file encryption routine:
- %APPDATA% \WinCL\enc_files.txt
It creates the following entry so that it runs every time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wincl"
With data: "%APPDATA%\WinCL\wincl.exe"
Payload
Encrypts your files
This ransomware encrypts files using RSA-2048 encryption. When it successfully does this, you will lose access to your files. It encrypts files with the following filename extensions:
.3fr
.3gp
.accdb
.ai
.amv
.arw
.asf
.avi
.bay
.cdr
.cer
.cr2
.crt
.crw
.dbf
.dcr
.der
.divx
.dng
.doc
.docm
.docx
.dwg
.dxf
.dxg
.eps
.erf
.fla
.indd
.jpe
.jpg
.kdc
.mdb
.mdf
.mef
.mov
.mp3
.mp4
.mpg
.mrw
.nef
.nrw
.odb
.odm
.odp
.ods
.odt
.orf
.p12
.p7b
.p7c
.pdd
.pef
.pem
.pfx
.ppt
.pptm
.pptx
.psd
.pst
.ptx
.r3d
.raf
.rar
.raw
.rtf
.rw2
.rwl
.srf
.srw
.tar
.wb2
.wma
.wmv
.wpd
.wps
.xlk
.xls
.xlsb
.xlsm
.xlsx
.zip
It avoids infecting files in the following folders:After encrypting files, it displays a ransom note that asks for 1 Bitcoin as payment. Downloads updates
- %APPDATA%
- %LOCALAPPDATA%
- %APPDATA%\Microsoft
- %ProgramData%
- %ProgramFiles%
- %SystemDrive% \Documents and Settings\%USERPROFILE%\Documents\My Pictures\Sample Pictures
- %SystemDrive% \Windows
This threat may download an updated copy of itself from the following website: hxxp:// invisioncorp .com.au/ scripts/wl/ cl.exe
Analysis by Francis Tan SengLast update 12 November 2016
