Home / malware Ransom:MSIL/Ryzerlo
First posted on 02 April 2016.
Source: MicrosoftAliases :
There are no other names known for Ransom:MSIL/Ryzerlo.
Explanation :
Installation
When executed, this ransomware creates a random 15-character length string:
- abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890*!=&?&/
The ransomware attempts to send the random string along with information unique to the infected machine, machine name, and user name, to the following remote host:
- sarkemc0der.altervista.org
Variants of this ransomware are based on the Open Source "hidden tear" ransomware, previously hosted in https://github.com/utkusen/hidden-tear.
Payload
Encrypts your files
This ransomware attempts to find and encrypt files located in the %UserProfile%\Desktop filepath with the following extensions using the AES encryption algorithm. It uses the previously-generated random string as a key:
.asp .html .png .sql .aspx .jpg .ppt .txt .csv .mdb .pptx .xls .doc .odt .psd .xlsx .docx .php .sln .xml
The ransomware then appends the following suffix to the encrypted files' file names:
- .f*ucked
NOTE: We're putting '*' in between a word which has an offensive theme.
Then, the ransomware writes a file the following location:
- %UserProfile% \Desktop\READ_IT.txt
With the following contents:
Files have been encrypted
Send me some bitcoins to decrypte your files
Contact tuyuljahat@hotmail.com for more information and deal!
Analysis by Ray RobertsLast update 02 April 2016