Home / malware Ransom:Win32/Zuresq.A
First posted on 03 September 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Zuresq.A.
Explanation :
Threat behavior
Installation
After the threat gets on your PC, it connects to a remote host (for example 5.199.171.47/patriote/) to download an updated version of itself.
It creates the folder C:\zerolocker and places the updated version of itself there. We have seen it use the the filename zerorescue.exe, but newer variants might use different names.
We have observed one variant of this threat to initially install itself as the file task manager.exe which then created the zerolocker folder and installed the updated version of the file.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "FileRescue"
With data: "C:\zerolocker\zerorescue.exe"
Payload
Encrypts your files
This threat encrypts your files so you can't use them. It generates a random key that it uses to encrypt your files. The ransomware uploads this key to its remote server so it can decrypt your files.
It encrypts all files that are not located in folders that have the following in their names:
- Desktop
- Program Files
- Windows
- Zerolocker
It puts a shortcut on your desktop that presents a message about how you can decrypt your files by paying between $300 USD and $1000 USD using Bitcoin:
It adds .encrypt to the end of the name of files it encrypts, as in the following screenshot:
Additional information
This threat may be obfuscated in an attempt to hide from detection by security and antimalware programs.
It uses RijndaelManaged (AES) encryption on your files, and generates a random key which it uploads to a remote server. The key consists of alphanumeric characters, is of length 0x14, and hashes with SHA512 when encrypting your files.
Analysis by Carmen Liang
Symptoms
If the machine is infected, then you may find all of your non-system files are encrypted like shown.
Last update 03 September 2014