Thursday, April 12, 2012
Trojan:W32/Ransomcrypt Posted by Sean @ 12:47 GMT

We are receiving reports of a ransom trojan, it's been circulating during the last two days.

When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called "HOW TO DECRYPT.TXT" which contains instructions on how to proceed. The bandit is demanding 50.

It drops a copy of itself in the system's temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.

Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums.

Here's how encrypted files look once the trojan has done its work:


This is the content of the text file:

Attention! All your files are encrypted! You are using unlicensed programs! To restore your files and access them, send code Ukash or Paysafecard nominal value of EUR 50 to the e-mail [removed]@gmail.com. During the day you receive the answer with the code. You have 5 attempts to enter the code. If you exceed this of all data irretrievably spoiled. Be careful when you enter the code!



The "Error!" message that you'll get if the wrong password is input:


Another error message, repeating the demands found in the .txt file:


The encryption used by this trojan is not as complex as some other ransomware we've analyzed, such as Gpcode. Investigations to determine if its encryption can be cracked are ongoing.

SHA1: b8f60c64c70f03c263bf9e9261aa157a73864aaf

Analysis by — K.M. Chang

<<< Flashback Removal Tool
More Mac Malware Exploiting Java >>>