|Short Description||Encrypts important user data and demands ransom in return.|
|Symptoms||The user may have his files encrypted without his consent and may see a ransom note with instructions on how to pay for them.|
|Distribution Method||Malicious Links Spam Mail|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Trojan.Ransomcrypt.S|
|User Experience||Join our forum to follow the discussion about the Trojan.Ransomcrypt Variants.|
A variant of the Trojan.Ransomcrypt ransomware infection, this partucular trojan is famous for encrypting a wide array of file extensions and leaving a ransom note. This ransom note aims to scare users into paying the ransom via anonymous networks in return for the decryption keys, treatening the files may be lost forever. Experts advise users not to comply in any way with the demands of the cyber croooks because it is no guarantee in any way that the files will be decrypted.
Trojan.Ransomcrypt.S – How Did I Get Infected?
Such types of trojans may be downloaded on your computer via other malicious programs such as trojan.downloaders that may have already infected it. Another way to get them is by either visiting a malicious site that downloads the threat directly onto the user PC or by opening a dangerous spam mail attachment. Users are strongly advised to use spam filters since some emails may also be spoofed and they could think they are from a well known person or a company and fall into the trap.
Trojan.Ransomcrypt.S In Detail
According to Symantec, the .S variant of this trojan is also encrypts certain files on the user PC and leaves a ransom note. Once it has been activated on a target PC, it makes a copy of a malicious .dll file, called reg.dll in the %Temp% folder. After doing so, the Trojan begins tampering with PC settings, creating the following registry object for the copied .dll file:
→HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”WINUP” = “regsvr32 “%Temp%\reg.dll”
This registry entry aims to make the trojan run every time on system startup. The next step after that is for the trojan to connect to the attackers’ domain. One malicious domain identified by the Symantec threat analysis experts was:
After connecting to remote domain, the cyber threat then downloads these files onto the infected PC’s %Temp% folder:
t0.da0; t0.daa; t0.da1
After downloading the files it most likely uses them to encrypt user files of these formats:
→.txt .html .htm .css .wmv .wallt .odt .ods .odp .odm .odc .odb .doc .docx .docm .wps .xls .xlsx .xlsm .xlsb .xlk .ppt .pptx .pptm .mdb .accdb .pst .dwg .dxf .dxg .wpd .rtf .wb2 .mdf .dbf .psd .pdd .pdf .eps .ai .indd .cdr .jpg .jpe .jpg .dng .3fr .arw .srf .sr2 .bay .crw .cr2 .dcr .kdc .erf .mef .mrw .nef .nrw .orf .raf .raw .rwl .rw2 .r3d .ptx .pef .srw .x3f .der .cer .crt .pem .pfx .p12 .p7b .p7c
Just like CryptoWall Ransomware, the trojan then creates the HELP_DECRYPT.HTML(HL http://sensorstechforum.com/help_decrypt-files-description-and-removal/) file that contains the same instructions such as the CyptoWall(HL http://sensorstechforum.com/remove-cryptowall-3-0-and-restore-the-encrypted-files/) ones.
Remove Trojan.Ransomcrypt.S Fully from Your PC
In order to remove the .S variant of this Trojan from your computer you should guide yourself by the step-by-step instructions below. It is recommended to boot in safe mode and scan your computer with advanced anti-malware tool. Also, for tech-savvy users and for a way to try and decrypt your data check these links:
Methods for decryption:
Scan and remove ransomware via a live OS: