We are receiving reports of a ransom trojan, it’s been circulating during the last two days.
When first run on the system, the ransomware will iterate all folders on the system. Every document, image, and shortcut (.lnk) file found will be encrypted and appended with an extension of .EnCiPhErEd. In each folder it will drop a text file called “HOW TO DECRYPT.TXT” which contains instructions on how to proceed. The bandit is demanding 50€.
It drops a copy of itself in the system’s temp folder with a random name. It creates registry entries to associate the .EnCiPhErEd extension with itself, so that the temp folder copy will be launched whenever those files are run, in order to demand the decryption password. After five attempts it will no longer accept passwords. And it then deletes itself, leaving your data encrypted.
Our threat hunters think that the source of this ransomware may be from inserted malicious tags in sites, particularly in forums.
Here’s how encrypted files look once the trojan has done its work:
This is the content of the text file:
The “Error!” message that you’ll get if the wrong password is input:
Another error message, repeating the demands found in the .txt file:
The encryption used by this trojan is not as complex as some other ransomware we’ve analyzed, such as Gpcode. Investigations to determine if its encryption can be cracked are ongoing.
Analysis by — K.M. Chang
On 12/04/12 At 12:47 PM