Ransomware is known for holding a victim’s files “hostage” (encrypted) while the criminal perpetrator asks the victim to pay a high sum of money (ransom) in exchange for a decryption key that can be used to retrieve the encrypted files.
Just recently, Trend Micro Advanced Threats Researcher Ivan Macalintal reported that a new version of the GPcode ransomware has surfaced, which Trend Micro already detects through the Smart Protection Network as TROJ_RANDSOM.A.
This new ransomware displays the following message upon execution:
Figure 1.Fake error message upon malware execution
It drops several files which are also detected as TROJ_RANDSOM.A. After which, it searches and encrypts files found on any readable and writable drive on the system, rendering them inaccessible (without the encryption key). It also changes the file name of the encrypted files, by adding the .XNC extension.
It also drops the file READ THIS.TXT in each folder that contains an encrypted file. This file informs the victim that the files have been encrypted, and that a decrypting tool must be purchased to decrypt the files. Email addresses are also included in the text file, which the victim must contact to obtain the decryption tool.
Accordingly, the perpetrator of this crime demands £200 (US$307) for the decryption services.
In the past, we have seen ransomware strikes fear through effective social engineering tactics. Some of the notable ransomware are the following:
Users are strongly advised to back up their files so as not to be victimized by ransomware.