Home / malware Ransom:Win32/Genasom.HV
First posted on 24 May 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Genasom.HV.
Explanation :
Threat behavior
Trojan:Win32/Ransom.HV is a ransomware trojan that encrypts your documents. It displays a screen falsely claiming that your computer has been found involved in illegal activity. It further claims that as a result, your desktop has been locked and your files are now encrypted. It states that for you to recover access to your desktop and to decrypt your documents, you need to send a certain amount of money to a remote account.
Installation
Trojan:Win32/Ransom.HV may have the file name "svchost.exe" in a randomly-name folder in the "C:\ProgramData\" folder. Note that a legitimate Windows file named "svchost.exe" exists by default in the Windows system folder.
It creates an entry with random values and data within the subkey "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" to ensure runs every time Windows starts.
Payload
Locks your desktop and encrypts your files
Trojan:Win32/Ransom.HV searches your computer for documents. It encrypts the ones it finds and renames them using the following format:
(!! to decrypt email id > to !!).exe
The encrypted files are detected as Trojan:Win32/Ransom.JC.
Trojan:Win32/Ransom.HV then locks your desktop and displays the following message, falsely claiming that your computer has been found to be involved in illegal activity:
It further states that for you to regain access to your desktop and to decrypt your documents, you need to send money to a certain email address.
Analysis by Mihai Calota
Symptoms
System changes
The following system changes may indicate the presence of this malware in your computer:
- The presence of the following image:
Last update 24 May 2014
