Home / malware Trojan.Ransomcrypt.X
First posted on 30 December 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Ransomcrypt.X.
Explanation :
When this Trojan is executed, it adds the following file to several folders. This file contains instructions on how to decrypt files: [PATH TO FILE]\READ_ME.txt
The Trojan then encrypts files with the following extensions: .asp.aspx.csv.doc.docx.html.jpg.js.mdb.odt.pdf.php.png.ppt.pptx.psd.sln.sql.txt.xls.xlsx.xml
The Trojan then modifies the following registry entries so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft" = "[MALWARE PATH]"
Next, the Trojan modifies the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\"Shell" = "[MALWARE PATH]"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
The Trojan periodically checks if the following process is running. If it is, it then ends the process: Task Manager
The Trojan blocks access to the desktop and displays a message informing the user that their files have been encrypted. The message asks the user to pay in bitcoins in order to decrypt the files.
The QR code in the displayed message redirects to a website where the user can pay the ransom.Last update 30 December 2015