Home / malwarePDF  

Ransom:Win32/Sofilblock.A


First posted on 31 May 2014.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Sofilblock.A.

Explanation :

Threat behavior

Trojan:Win32/Sofilblock.A is ransomware that encrypts your files and asks for payment in order to decrypt the files. It may also lock the user's desktop and display an image supposedly from the authorities in an attempt to coerce you into paying.

Installation

When run, Trojan:Win32/Sofilblock.A copies itself as the following file:

%AppData%\sopaps.exe

It also creates the following registry entry so that it runs every time Windows starts:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "ChpPrintUpdate"
With data: "%AppData%\sopaps.exe"

It may also create the following files, which may contain the encrypted key that can decrypt your files:

  • %AppData%\filesop.txt.block
  • %AppData%\ok.txt.block


Payload

Connects to certain servers

Trojan:Win32/Sofilblock.A may connect to certain servers to generate the encryption key:

  • 78.47.4.76
  • 176.9.237.54


Encrypts files

Using the encryption key, Trojan:Win32/Sofilblock.A encrypts all files in your computer with any of the following extensions:

  • abw
  • arj
  • asm
  • bpg
  • cdr
  • cdt
  • cdx
  • cer
  • chm
  • css
  • dbf
  • dbt
  • dbx
  • dfm
  • djv
  • djvu
  • doc
  • docm
  • docx
  • dpk
  • dpr
  • frm
  • gz
  • gzip
  • htm
  • html
  • jpg
  • js
  • key
  • lzh
  • lzo
  • mdb
  • mde
  • odc
  • pab
  • pas
  • pdf
  • pgp
  • php
  • pps
  • ppt
  • pst
  • rtf
  • sql
  • text
  • txt
  • vbp
  • vsd
  • wri
  • xfm
  • xl
  • xlc
  • xlk
  • xls
  • xlsm
  • xlsx
  • xlw
  • xsf
  • xsn


The encrypted files are renamed as "..block", for example, "C:\Samplefile.txt" to "C:\Samplefile.txt.block".

In every folder with at least one encrypted file, it drops the file "warning.txt", which contains the following text:



Locks your computer

When executed, Trojan:Win32/Sofilblock.A poses as a legitimate institution and coerces the users to pay a fee. It prevents you from accessing your desktop, and replaces your screen with an image similar to the following:



Terminates processes

To prevent you from terminating its process, Trojan:Win32/Sofilblock.A terminates the processes "taskmgr.exe" and "regedit.exe" if either are run.



Analysis by Edgardo Diaz

Symptoms

System changes


The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    %AppData%\sopaps.exe
  • The presence of the following registry modifications:

    In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "ChpPrintUpdate"
    With data: "%AppData%\sopaps.exe"

Last update 31 May 2014

 

TOP

Malware :

Family: