You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Ransom.K
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Ransom.K is a Trojan designed to blackmail users, by encrypting the documents it finds in the computer, so that users cannot access them.

Ransom.K carries out the following actions:

It reaches the computer in a file which has the following icon, passing itself off as a help file:
When the file is run, a wallpaper is displayed on screen and the Trojan starts encrypting all the documents it finds with a DB (Access), DOC (Word documents), JPG (pictures), TXT (text files) and XLS (Excel documents) extension.
The wallpaper contains a message informing users that their files have been encrypted and in order to recover them, they have to send an email and pay $100, so that they can receive some decryption software:
Once it has finished encrypting the files, a text file is opened with the message "Very bad news...":
From this moment on, users will not be able to access any of the documents that have been encrypted.

Below, you have an example of the file header of a JPG file before being encrypted:

The following image is the same file header file after being encrypted:

If users attempt to open a JPG file, it will not be displayed.

How can the files be recovered?

Due to some errors in the Trojan, there is an easy solution to recover the documents without having to pay for it. If you are affected by this Trojan, first of all you have to go to the Windows directory (C:\Windows), find a file called CRYPTLOGFILE.TXT and delete it. This file contains the list of documents it finds in the computer in order to encrypt them.

Once it is deleted, you have to run the malicious file again and due to some errors, all the files will be decrypted and recovered.

Infection strategy

Ransom.K creates the file CRYPTLOGFILE.TXT in the Windows directory. This text file contains the list of documents the Trojan has found in the computer, which are then encrypted.

Means of transmission

Ransom.K does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details

Ransom.K is 143,784 bytes.

Resources for Partners