Are you a victim of Smrss32 ransomware? We hope that your system is fully patched and that all your data is sufficiently backed up, but if you have fallen victim to this malware, keep reading. It’s the latest crypto virus that researchers named Smrss32 due to the file it uses for infection – smrss32.exe.
The ransomware is known to use a list of 6,674 file extensions to decide what files to lock on the victim’s computer. This is a very high and unusual number, especially when the “average” ransomware targets between 50 and 500 file types.
Who Is Behind of Smrss32 Ransomware?
Apparently, the extension method chosen by the hackers behind the crypto virus shows that they are not experienced. Malware researchers say at MalwareHunterTeam say that it would have been much easier for the crooks to whitelist what not to encrypt than creating this huge list.
Another indication that points to the hackers’ inexperience in malware coding is that most file extensions were duplicated in the list of targeted file types. An example is .PNG and .png. If the hackers knew about the case sensitive comparing technique, they wouldn’t have made this mistake. Applying case sensitive comparing would have spared them both time and effort.
Smrss32 ransomware will not encrypt any Windows core files, which means the coders behind it are not utterly unprepared. If the directory name has AppData, Application Data, Boot, Games, Program Files, Program Files (x86), Program Data, Sample Music, Sample Pictures, System Volume Information, Temp, Windows, cache, thumbs.db, tmp, or winnt, the ransomware will not touch any files inside those directories.
How Does the Smrss32 Infection Happen?
Researchers believe that the ransomware is spread via hacking unsecured RDP connections and installing the malware manually. This is not the first time this distribution technique has been adopted by criminals. Bucbi, Apocalypse and the Shade ransomware have done this too.
Once the ransomware is launched, the victim’s files will be encrypted via the AES encryption algorithm. An .encrypted extension will be appended to all locked files.
The ransom note will be located in the C:/ProgramData/Wallpaper directory. A copy of it will be dropped in every drive root and on the desktop. Once all files are encrypted, the ransomware will delete the folder it was installed from.
Interestingly, this ransomware shares the same ransom note with “CryptoWall Softare” ransomware, names so because of the claim in the ransom note.
Some Victims Have Decided to Pay the Ransomware
The ransom demanded by this crypto virus is 1 Bitcoin, and some victims have proceeded with paying cyber criminals for the decryption key, as visible in the cyber criminals’ Bitcoin wallet statistics. Victims are given an email address to contact the ransomware operators. However, paying the ransom is not recommended under any circumstances.
Moreover, researchers have already started working on a decryptor. Having in mind the number of decryptors already released, it won’t take long before this ransomware case is solved for good.
What to Do If You Are a Victim of Smrss32 Ransomware
The very thing every victim should do is remove the ransomware from their system. The easiest way to do so is by using an anti-malware program.
Then, victims can try and restore some of their encrypted files via data recovery software, such as:
In the future, continuously back up your data so that it never falls victim to ransomware again.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter