Ransom:Win32/Threatfin is classified as a ransomware that is usually installed via other malware through a backdoor. Ransom:Win32/Threatfin displays a full-screen message that blocks the desktop and makes it inaccessible. Certain files may also be encrypted. The displayed message contains information about paying a fee so that access to the PC is regained. Security specialists do not recommend paying the ransom since the files may not be decrypted. The most effective measure against ransomware is having all important files backed up on an external device or via a cloud service.
Researchers have reported that Ransom:Win32/Threatfin is installed on a computer as a dynamic link library file. The DLL file can be loaded by other malicious threats. It can be found in either directories:
Furthermore, Ransom:Win32/Threatfin can create new registry keys so that it runs every time the PC is started. Here is a short list of added registry entries, as reported by Microsoft:
- In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “IE11”
With data: “regsvr32 “%temp%\ie2.dll””
- In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “WINUP”
With data: “regsvr32 “%temp%\reg.dll”
Once installed on a machine, Ransom:Win32/Threatfin will create some files on the user’s desktop:
The six listed files can be described as the ransomware’s payload preventing the user from accessing his computer. The message displayed by Ransom:Win32/Threatfin pushes users to pay a certain amount of money, usually through BitCoin, in order to reclaim their computers and decrypt encrypted data.
However, paying the ransom does not necessarily result in data decryption since such threats are solely created to generate revenue for attackers.
Ransom:Win32/Threatfin Variants Similar to CryptoBot
Researchers warn that some variants of Ransom:Win32/Threatfin launch a window named CryptoBot. The displayed window contains information about the actions executed by the threat and a list of the encrypted files.
The CryptoBot file is installed as a text file:
Files with the following extensions will be encrypted:
After encryption has finished, the attackers will contact a remote host. Researchers at Microsoft reported that the ransomware attempts to connect to 184.108.40.206 at TCP port 443 to send and receive data from a remote server.
To stay secure against ransomware, users should frequently back up all of their valuable files to an external device or in a cloud.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter