ransomware

New ransomware variant detected: Trj/Crypdef.A!

Our colleagues at PandaLabs have discovered a new strain of ransomware, a piece of malicious software which allows cyber-criminals to remotely lock the computers they infect.

Ransomware locks computer systems and encrypts files, demanding the user pay a ransom to get control back.

The new variant has been detected as Trj/Crypdef.A.

ransomware

 

How Trj/Crypdef.A works

  • It creates the following registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\(file name)\DEBUG
  • It creates the directory C:\ZeroLocker and copies itself to it as the file ZeroRescue.exe
  • It creates the following registry entry so that it runs whenever the computer starts:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “FileRescue”

Data: C:\ZeroLocker\ZeroRescue.exe

  • It connects to the following URLs:
    • hXXp://5.199.171.47/patriote/sansviolence
    • hXXp://5.199.171.47/zConfig/173812
    • hXXp://5.199.171.47/zImprimer/446305781-6Anf32MoZG805MwwG2lX-17xQqSvhHu3bEmYdmo1G1hwob1h6UFq3oe

How to avoid the ransomware

  • Keep your operating system up to date to avoid security vulnerabilities.
  • Install a good antivirus.
  • Do not open email messages or files from unknown sources.
  • Avoid accessing unsafe Web pages or pages with questionable content.

 

Related News

Leave a Reply

Your email address will not be published. Required fields are marked *

COPYRIGHT 2014 PANDA SECURITY