Summary

This type of ransom trojan is dropped by other malware or downloaded from the Internet. It displays a certain message and informs the user that the system is locked. To unlock it again, the user needs to pay money.

The following message will appear if the trojan is executed:


 

The ransom malware claims that all local files have been encrypted with a 2048 PGP Key.
It is in fact a RC4 encryption, and with available original files (from backup or other source), it is possible to decrypt all files.

Malware Behavior

The trojan comes by another dropped malware or by visiting malicious websites and downloading from it.

It makes a copy of itself in the following folder:

C:\WINDOWS\system32\%random%.exe

The following modifications will be done in the registry by the ransom malware:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"userinit"="C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\system32\\%random%.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "D8812EB1"="C:\\Documents and Settings\\%userprofile%\\Application Data\\%random%\\%random%.exe

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000001 "DisableRegedit"=dword:00000001

All the locally present files except in "Windows" and "Program" on the system will be locked with the RC4 method. They will assume the following syntax:

locked-*original file name*.*4 random characters*

Please refer to this link for more information about this ransom malware.

Solution

Avira provides a decrypting tool, which is named "Avira Ransom File Unlocker".

Avira Ransom File Unlocker" is a tool written in .NET 2.0 to decrypt files encrypted by a ransom malware type that claims the files have been encrypted with a 2048 PGP key. It is in fact RC4-encrypted, so with available original files (from a backup or any other source), it is possible to decrypt all files.


 

The tool will not change or delete the encrypted files, to avoid data loss in case the decryption did not work most likely due to a new variant of this kind of malware.

To decrypt the encrypted files, the user has to select an encrypted file from the hard drive and the original version of this file from the hard drive or from another source.

It is imperative that the original version is an exact copy of the encrypted file before the system was infected, otherwise the tool would not work correctly.

Update with version 1.0.1:
You will now get an error message if you have added 2 encrypted or 2 decrypted files as "Locked file" and "Original file".

Download Avira Ransom File Unlocker