Trojan.Cryptolocker.S Demands AU $1000 To Decrypt Files
Symantec researchers have found a ransomware which demands AU$ 1000 to decrypt the encrypted files.
The malware authors cooked up their ransom demand message using the ‘Los Pollos Hermanos’ branding image found in the show. Along with this, part of the email address used in the extortion demand is based on a quote by the show’s protagonist Walter White, who declared “I am the one who knocks.
We believe that the crypto ransomware uses social engineering techniques as a means of infecting victims. The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file.
Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.
The crypto ransomware targets files with the following extensions for encryption:
- .ai
- .crt, .csv
- .db, .doc, .docm, .docx, .dotx
- .gif
- .jpeg, .jpg
- .lnk
- .mp3, .msi
- .ods, .one, .ost
- .p12, .pdf, .pem, .pps, .ppsx, .ppt, .pptx, .psd, .pst, .pub
- .rar, .raw, .rtf
- .tif, .txt
- .vsdx
- .wma
- .xls, .xlsm, .xlsx, .xml
- .zip
The ransomware also opens a page including instructions and a youtube video. So nice of you for clear instructions.
Always remember to backup your important files regularly, as ransomware can be one of your problems when it comes to data security.
