Home / malware Trojan.Ransomcrypt.O
First posted on 16 December 2014.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.O.
Explanation :
When the Trojan is executed, it connects to the following remote location: [http://]smu743glzfrxsqcl.tor2web.org/teste[REMOVED]
The Trojan then encrypts files with the following file extensions on the compromised computer: .3fr.accdb.ai.arw.bay.cdr.cer.cr2.crt.crw.dbf.dcr.der.dng.doc.docm.docx.dwg.dxf.dxg.eps.erf.indd.jpe.jpg.kdc.mdb.mdf.mef.mp3.mp4.mrw.nef.nrw.odb.odm.odp.ods.odt.orf.p12.p7b.p7c.pdd.pef.pem.pfx.ppt.pptm.pptx.psd.pst.ptx.r3d.raf.raw.rtf.rwl.srf.srw.txt.wb2.wpd.wps.xlk.xls.xlsb.xlsm.xlsx
The Trojan then creates the following .txt files: %UserProfile%\Desktop\ENCRYPTED[RANDOM NUMBER BETWEEN 1 AND 200].txt%UserProfile%\Documents\ENCRYPTED[RANDOM NUMBER BETWEEN 1 AND 200].txt
These .txt files contain the following message:
"Your important files you have on this computer have been encrypted : photos,
videos, document , etc.
In order to recover these files you have to go to : [http://]smu743glzfrxsqcl.tor2web.org[REMOVED] and buy the key to decrypt all your files.
From now on you have 72 hours to pay or the key will be permanently deleted
from our server and you won't EVER get your files back. Please go to : [http://]smu743glzfrxsqcl.tor2web.org[REMOVED] to see the procedure.
You can find this text on your desktop and document folders
your hwid is : [RANDOM HEXIDECIMAL NUMBER]"
Next, the Trojan displays the following popup window with a similar ransom notice:
If the user visits the URL included in these messages, they will see the following message, asking the user to enter their hwid. It also asks the user to pay the ransom using the Bitcoin cryptocurrency:Last update 16 December 2014