Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Ransom:Win32/Threatfin Completely

Ransom:Win32/Threatfin is classified as a ransomware that is usually installed via other malware through a backdoor. Ransom:Win32/Threatfin displays a full-screen message that blocks the desktop and makes it inaccessible. Certain files may also be encrypted. The displayed message contains information about paying a fee so that access to the PC is regained. Security specialists do not recommend paying the ransom since the files may not be decrypted. The most effective measure against ransomware is having all important files backed up on an external device or via a cloud service.

Download a System Scanner, to See If Your System Has Been Affected By Ransom:Win32/Threatfin.

Ransom:Win32/Threatfin Description

threat finder
Researchers have reported that Ransom:Win32/Threatfin is installed on a computer as a dynamic link library file. The DLL file can be loaded by other malicious threats. It can be found in either directories:

%TEMP% \ie2.dl
%TEMP% \reg.dll

Furthermore, Ransom:Win32/Threatfin can create new registry keys so that it runs every time the PC is started. Here is a short list of added registry entries, as reported by Microsoft:

  • In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: “IE11”
    With data: “regsvr32 “%temp%\ie2.dll””
    • or

  • In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: “WINUP”
    With data: “regsvr32 “%temp%\reg.dll”

Once installed on a machine, Ransom:Win32/Threatfin will create some files on the user’s desktop:

1.jpg
2.jpg
3.jpg
4.jpg
5.jpg
HELP_DECRYPT.html

The six listed files can be described as the ransomware’s payload preventing the user from accessing his computer. The message displayed by Ransom:Win32/Threatfin pushes users to pay a certain amount of money, usually through BitCoin, in order to reclaim their computers and decrypt encrypted data.

However, paying the ransom does not necessarily result in data decryption since such threats are solely created to generate revenue for attackers.

Ransom:Win32/Threatfin Variants Similar to CryptoBot

Researchers warn that some variants of Ransom:Win32/Threatfin launch a window named CryptoBot. The displayed window contains information about the actions executed by the threat and a list of the encrypted files.

The CryptoBot file is installed as a text file:

%TEMP% \crypto_bot.log

Files with the following extensions will be encrypted:

3fr
accdb
ai
arw
bay
cdr
cer
cr2
crt
crw
css
dbf
dcr
der
dng
doc
docm
docx
dwg
dxf
dxg
eps
erf
htm
indd
jpe
jpg
kdc
mdb
mdf
mef
mrw
nef
nrw
odb
odc
odm
odp
ods
odt
orf
p12
p7b
p7c
pdd
pdf
pef
pem
pfx
ppt
pptm
pptx
psd
pst
ptx
r3d
raf
raw
rtf
rw2
rwl
sr2
srf
srw
wallt
wb2
wmv
wpd
wps
x3f
xlk
xls
xlsb
xlsm
xlsx

After encryption has finished, the attackers will contact a remote host. Researchers at Microsoft reported that the ransomware attempts to connect to 65.49.8.104 at TCP port 443 to send and receive data from a remote server.
To stay secure against ransomware, users should frequently back up all of their valuable files to an external device or in a cloud.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.