Ransom.MSIL.VYSMALL.THCOEBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Encrypted Directory}\README{1-10}.txt → a text file that contains only "KYKY" in it.

Other Details

This Ransomware encrypts files with the following extensions:

• .txt
• .docx
• .pdf

It does the following:

• It opens CMD to display the following that serves as the ransom note
  • File Encrypted: {Original file name of the encrypted file}
  • Ransomware Note: Your files have been encrypted. Contact us to get the decryption key.
  • Public Key: {public key of each file}
  • Created README file: {Encrypted Directory}\README{1-10}.txt

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• %Desktop%
• %User Profile%\Links
• %User Profile%\Contacts
• %User Profile%\Documents
• %User Profile%\Downloads
• %User Profile%\Pictures
• %User Profile%\Music
• %User Profile%\OneDrive
• %User Profile%\Saved Games
• %User Profile%\Favorites
• %User Profile%\Searches
• %User Profile%\Videos

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It renames encrypted files using the following names:

• {8 Random Characters}.e4aibjtrguqlyaow