Home / malware Trojan.Ransomcrypt.AA
First posted on 14 January 2016.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.AA.
Explanation :
When the Trojan is executed, it creates the following file:%AllUsersProfile%\date_1.txt
The Trojan creates the following folder: %AllUsersProfile%\faktura
The Trojan then creates the following registry entry so that it runs every time Windows starts:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"cssys" = "%AllUsersProfile%\ntserver.exe"
Next, the Trojan encrypts files that do not have any of the following extensions: .bat.cmd.com.cpl.dll.exe.hta.lnk.msc.msi.msp.pif.scr.sys
The Trojan then displays a ransom note demanding payment for the files to be decrypted.Last update 14 January 2016
