Ransom:Win32/Threatfin is classified as a ransomware that is usually installed via other malware through a backdoor. Ransom:Win32/Threatfin displays a full-screen message that blocks the desktop and makes it inaccessible. Certain files may also be encrypted. The displayed message contains information about paying a fee so that access to the PC is regained. Security specialists do not recommend paying the ransom since the files may not be decrypted. The most effective measure against ransomware is having all important files backed up on an external device or via a cloud service.
Ransom:Win32/Threatfin Description
Researchers have reported that Ransom:Win32/Threatfin is installed on a computer as a dynamic link library file. The DLL file can be loaded by other malicious threats. It can be found in either directories:
%TEMP% \ie2.dl
%TEMP% \reg.dll
Furthermore, Ransom:Win32/Threatfin can create new registry keys so that it runs every time the PC is started. Here is a short list of added registry entries, as reported by Microsoft:
- In subkey HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “IE11”
With data: “regsvr32 “%temp%\ie2.dll”” - In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: “WINUP”
With data: “regsvr32 “%temp%\reg.dll”
or
Once installed on a machine, Ransom:Win32/Threatfin will create some files on the user’s desktop:
1.jpg
2.jpg
3.jpg
4.jpg
5.jpg
HELP_DECRYPT.html
The six listed files can be described as the ransomware’s payload preventing the user from accessing his computer. The message displayed by Ransom:Win32/Threatfin pushes users to pay a certain amount of money, usually through BitCoin, in order to reclaim their computers and decrypt encrypted data.
However, paying the ransom does not necessarily result in data decryption since such threats are solely created to generate revenue for attackers.
Ransom:Win32/Threatfin Variants Similar to CryptoBot
Researchers warn that some variants of Ransom:Win32/Threatfin launch a window named CryptoBot. The displayed window contains information about the actions executed by the threat and a list of the encrypted files.
The CryptoBot file is installed as a text file:
%TEMP% \crypto_bot.log
Files with the following extensions will be encrypted:
3fr
accdb
ai
arw
bay
cdr
cer
cr2
crt
crw
css
dbf
dcr
der
dng
doc
docm
docx
dwg
dxf
dxg
eps
erf
htm
indd
jpe
jpg
kdc
mdb
mdf
mef
mrw
nef
nrw
odb
odc
odm
odp
ods
odt
orf
p12
p7b
p7c
pdd
pef
pem
pfx
ppt
pptm
pptx
psd
pst
ptx
r3d
raf
raw
rtf
rw2
rwl
sr2
srf
srw
wallt
wb2
wmv
wpd
wps
x3f
xlk
xls
xlsb
xlsm
xlsx
After encryption has finished, the attackers will contact a remote host. Researchers at Microsoft reported that the ransomware attempts to connect to 65.49.8.104 at TCP port 443 to send and receive data from a remote server.
To stay secure against ransomware, users should frequently back up all of their valuable files to an external device or in a cloud.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
