Mr. Robot, James Bond, Pokemon, and much more.
This ransomware also has some special techniques to avoid leaving traces behind after the infection. One interesting method is deleting the usn journal.
Fsutil.exe usn deletejournal /D c: provides the solution to delete the journal cache. The cache detects, among other things, what changes have been made in a file after an encryption. In this way, only the cybercriminals (or anyone) can keep this information.
The file decoder sheds a light on what kinds of users the cybercriminals would like to target if you look at the list of file types.
It especially checks for filetypes of Virtual machines (e.g. vhdx, vmdk, vbox,…). This means they are also targeting the corporate arena and not just the “home user”.
The file decoder gives us an insight into what would happen on the victim’s computers’ if he paid the ransom.
The user should disable their antivirus or anti-malware program and should click on the decryption.lnk on the desktop. Additionally, after the files are decrypted, the filecoder plus the created task will be deleted from the system. Anyway, we recommend never to follow these instructions from cybercriminals.
The camouflaged file cscc.dat is originally a sys file which is part of the open encryption solution called “DiskCryptor” used by the ransomware.
This encryption method doesn’t change the file extension like many other file encryptors such as Locky. It remains the same but appends a string at the end of the file where “encrypted” can be read.
This time, it looks like the criminals spent more time creating the onion link page. It even has a loading animation of a decryption.
But don’t worry, Avira is already protecting you against this ransomware.