Home / malware Unix.Ransomcrypt.B
First posted on 24 November 2015.
Source: SymantecAliases :
There are no other names known for Unix.Ransomcrypt.B.
Explanation :
Once executed, the Trojan creates the following files:
/readme.crypto/[FOLDER WITH ENCRYPTED FILES]/README_FOR_DECRYPT.txt
It then forks itself as a daemon process.
The Trojan then searches for and encrypts files in the following folders:
/home/root/var/lib/mysql/var/www/etc/nginx/etc/apache2/var/log
The Trojan also encrypts files in folders that contain the following strings:
public_htmlwebappbackup.git.svn
It also encrypts files with the following extensions:
.7z.aac.apk.asp.aspx.avi.class.css.csv.db.dll.doc.docx.exe.gif.gz.html.jar.java.jpeg.jpg.js.mov.mp3.mp4.pdf.php.phtml.png.properties.psd.pub.rar.ruby.sql.tar.tgz.tpl.txt.war.wav.wma.wmv.xls.xml.zip
The Trojan adds the following file extension to all the files it encrypts:
.encrypted
Next, the Trojan copies the following .txt file into each folder that contains encrypted files:
[FOLDER WITH ENCRYPTED FILES]/README_FOR_DECRYPT.txt
The .txt file contains a ransom message and payment instructions.Last update 24 November 2015
