A New malware(also called as Ransomwares) that encrypts all files in your system and demands $69 for unlocking the files. CyberCriminals offers a free trial version of unlocking tool to recover three important files.
Some versions of this Trojan start locking files once on the system, while other variants start wreaking havoc only after the system is rebooted. This Trojan works silently, in the background.
This Ransomware doesn't encrypt the system files so that victims can pay the demand . This Trojan use simple method to encrypt the files. Once the virus infect the system, it will open the a webpage to tell the victims they are about to be ripped off.
From Malware City report:
Some versions of this Trojan start locking files once on the system, while other variants start wreaking havoc only after the system is rebooted. This Trojan works silently, in the background.
This Ransomware doesn't encrypt the system files so that victims can pay the demand . This Trojan use simple method to encrypt the files. Once the virus infect the system, it will open the a webpage to tell the victims they are about to be ripped off.
From Malware City report:
The ransomware has a folder icon with a double extension: ".zip.exe" that the Trojan desperately tries to hide so as to pass undetected. For that to happen, Trojan.Crypt.VB.U regularly checks the Registry and performs the necessary operations to hide the extensions for known file types (the file appears thus to be a mere archive, since only the .zip extension will be visible to the user), should users change this setting in the meantime.
On the system drive, the ransomware saves in a hidden folder called "rootsetup" the following files:
- eve.ini -> storing the flag used by the two dropped files to synchronize;
- mafw.dat -> a copy of the malware, because the original one is deleted;
- setdat.dat -> contains configuration details including the website to be opened when the user is notified about his locked files;
- setupc.exe -> one of the two dropped files, responsible with maintaining a system configuration and with creating initialization files for the ransomware;
- setupp.exe -> one of the two dropped files, responsible for encrypting files;
Setupp.exe and setupc.exe keep each other running, an approach commonly known as watchdog safeguarding. To stop the ransomware, the two files must be killed simultaneously, otherwise the remaining running process will open the other.
Trojan.Crypt.VB.U creates a hidden file called _galaxy.exe on the system drive (which is a copy of itself) when it finishes encrypting/locking files. The dropper (which saves all these files) starts setupc.exe and setupp.exe. The system is instructed to run these two files at system start.
