The AutoTRON virus is a newly discovered threat that uses the built-in ransomware engine to rename target sensitive files with the .tron extension. Our in-depth removal guide shows how victims can recover the data and remove the threat from their computers.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .tron extension and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by AutoTRON |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss AutoTRON.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
AutoTRON Virus – Distribution Ways
The AutoTRON virus is being distributed against users worldwide. At the moment thers is no information about the criminal or group behind the attacks. It is speculated that beginner users are behind the attack as it is a customized strain of another recent virus.
The number of captured strains is very low which is a clear indicator that the attacks are very small in volume or that the campaign has no started. This leads us to believe that the operators will likely use the most popular tactics. A main virus delivery metod is the use of spam email messages. They use social engineering tricks in order to coerce the targets into interacting with the dangerous element. The malware files can be either attached directly to the messages or hyperlinked in the body contents. The most common way is to take contents such as images and text from well-known Internet services. They are used to customized the messages and make them look like sent from legitimate sources. The emails are also the primary delivery method for distributing infected payloads. There are two primary types:
- Software Installers — They are made by the hackers by taking the legitimate files of famous software and embedding thed AutoTRON virus code in them. The hackers typically choose popular software such as utilities, creativity tools or computer games.
- Infected Documents — The criminals can use documents of different types as presentations, rich text documents and spreadsheets. As soon as they are started by the victims a notification prompt will appear asking them to enable the built-in scripts (macros). If this is done the the virus will be downloaded from a remote location and executed on the victim machine.
Other delivery methods that can deliver the AutoTRON virus include web scripts such as banners, pop-ups and redirects. In certain cases through affiliate netowrks they can allow the AutoTRON virus to propagate to legitimate sites as well.
Browser hijackers are another method delivery mechanism. They represent malware web browser add-ons that are made compatible with the most popular software: Mozilla Firefox, Safari, Opera, Microsoft Edge, Opera, Internet Explorer. Once they are installed onto the victim computer default settings are changed in order to redirect the victims to a hacker-controlled site. Changed values include the home page, search engine and new tabs page.
AutoTRON Virus – In-Depth Analysis
Once installed the AutoTRON virus starts to execute its built-in behavior patterns. The threat is written using the AutoIT scripting language it is possible that the hacker or group behind it to have used a template or guide in creating the associated malware samples.
It is possible to customize the AutoTRON samples according to each virus campaign. As such future updates and improved versions of it can begin with a data harvesting module. The data is usually classified into two main types:
- Anonymous Data — It is used by the hacker controllers to analyze how effective the campaign is. It mainly consists of data about the hardware components and certain operating system values.
- Private Data — It is used to directly expose the identity of the victims. The engine is programmed into harvesting strings such as a person’s name, address, phone number, interests, location, passwords and account credentials.
This data can be used by the stealth protection engine if such is available. It scans the infected computers for software and services that can interfere with the correct execution of the virus engine. Examples include virtual machine hosts, anti-virus software and debugging environments. In certain cases the AutoTRON virus can remove itself to avoid detection if it is unable to bypass their engines.
The next step would be to institute system changes to the affected machines. Modifications can be made to the Windows Registry which can result in the inability to start certain applications or services. If the AutoTRON virus affects any of the operating system related entries then this can result in severe performance issues.
When the malware engine is programmed to create a persistent state of execution which makes it very difficult for the victims to remove them using manual methods. A prime example is the modification of certain boot options such as the recovery startup menu. The virus engine can effectively make it impossible to enter into it. The malware engine can also modify the system in order to automatically start it every time it is started.
Some viruses institute a network connection with malware servers. This can be used in a Trojan like behavior by spying on the victims in real time and having the ability to take over control of the affected machines at any given time. This connection can also be used to deploy additional threats.
AutoTRON Virus – Encryption Process
The ransomware engine uses a strong cipher in order to affect personal user files. The captured strains were found to affect the following file types:
The ransomware note is crafted in a README.txt file:
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recovery your files, but do not waste your time. Nobody can recover your files without our decryption service.
Can i Recover my Files ?
Sure, We guarantee that you can recover ll your files safely and easily. But you have not so enough time.
You have only have 10 days to submit the payment. Also, if you don’t pay in 10 days, you won’t be able to recover your files forever.
How Do I pay?
Payment is accepted in bitcoin only. For more inforrmation. Please check the current price of bitcoin and buy some bitcoins.
And send the correct amount to the address specifiled in the window.
After your payment you need to write to us on mail ( email@example.com )
We will decrypt your files.
We strongly recommend you to not remove this software, and disable your anti-virus for a while, untill you pay and the payment gets processed. If your anti-virus gets updated and removes this software autmatically, it will not be able to recover your files even if you pay!
To unlock the computer, you must transfer the bitcoins to this address: 1GFDAKpVsGskvn4RmnjjUxmcrX54xC41nY
to contact us, write here: firstname.lastname@example.org
For buy bitcoins, i can advise
The essence of the work through the exchangers is very simple: Choose what currency to change.
Then what currency you want to ( in our case – want to receive bitcoins )
Indicate the requisites of your wallet pay and a few minutes receive bitcoins to your wallet.
if you do not understand, you can watch the video how to exchange your money for bitcoin xxxxs://www.youtube.com/watch?v=Jck4GeBB3-c
All victim files are renamed with the .TRON extension.
Remove AutoTRON Virus and Restore .Tron Files
If your computer system got infected with the AutoTRON ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.