Difference between revisions of "Attention! All data on your hardrive is encrypted"

(Publication) Google search: [1]

Abstract

“ We have seen various mutations of the well known “police ransomware” Trojan throughout the year. Despite the threatening and convincing message it carries, most people probably choose to avoid the “fine” by simply removing the malware. Well, the following ransomware is little bit different.

After the sample is executed and initial emulators and virtual machine detections are passed, the process spawns either ctfmon.exe or svchost.exe (randomly chosen) where it injects its own code. This injected system process then executes the copy of the sample from %TEMP% folder, which creates another ctfmon.exe or svchost.exe child process with injected code and finally starts some interesting actions.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1289,
   editor = {AVG},
   author = {Tomas Prochazka, Michal Cebak},
   title = {Attention! All data on your hardrive is encrypted},
   date = {30},
   month = Jan,
   year = {2013},
   howpublished = {\url{http://blogs.avg.com/news-threats/attention-data-hardrive-encrypted}},
 }