Home / malware Ransom:MSIL/Pryptorc.A
First posted on 17 October 2014.
Source: MicrosoftAliases :
There are no other names known for Ransom:MSIL/Pryptorc.A.
Explanation :
Threat behavior
Installation
Ransom:MSIL/Pryptorc.A can be installed on your PC during a drive-by-download. We have seen it use the following file name:
- GreetingCard.exe
When run, it drops and opens the following file to masquerade as a legitimate greeting card:
- "%desktopdirectory%\Greeting Card.html"
Payload
Encrypts your files
Ransom:MSIL/Pryptorc.A searches for files in all folders with the following extensions and then encrypts them:
- .7gz
- .7z
- .accdb
- .backup
- .backupdb
- .blend
- .bmp
- .cab
- .csv
- .dat
- .db
- .doc
- .docx
- .dot
- .gif
- .gz
- .ico
- .ini
- .jpeg
- .jpg
- .js
- .log
- .moneywell
- .mp3
- .mpg
- .php
- .pl
- .png
- .ppt
- .psd
- .py
- .rar
- .raw
- .tar
- .tif
- .txt
- .wallet
- .wav
- .xls
- .xlsx
- .xml
- .zip
It renames the encrypted files by adding "CR" to their extension, for example:
- .png -> .pngCR
- .jpg -> .jpgCR
One your files are encrypted the malware loads the following file to ask you for payment:
- "%desktopdirectory%\Decrypt.html"
Analysis Jireh Sanico
Symptoms
The following could indicate that you have this threat on your PC:
- You have these files:
%desktopdirectory%\Greeting Card.html
- You see this ransom screen:
Last update 17 October 2014
