Home / malware
First posted on 07 October 2017.
There are no other names known for Ransom:Win32/DefrayCrypt.A.
This threat injects its code into common process, including the following Adobe-related processes:
We have seen it spread from tech scam spam emails in an Office attachment. Payload
Encrypts your files
This ransomware searches for and encrypts files in all directories except for the following:
In all other folders, it encrypts files with the following extensions:
Unlike many other types of ransomware, after the files are encrypted this ransomware doesn't rename the newly encrypted file.
Instead, it uses the same name - although the binary is different and the file can not be opened.
For example, if file.png is encrypted by this ransomware, the file will still be called file.png.
The ransomware creates notes in every directory where it encrypts files. We have observed it drop these ransom notes with the following file names:
The note contains the following text: Don't panic, read this and contact some from IT department. Your computer has been infected with a virus known as ransomware. It instructs you to contact someone from your IT department.
Deletes backup copies of files
This malware deletes local backup copies. It may attempt to delete or corrupt other backup-related processes, including processes for the following:
Note: This list is not exhaustive and it may attempt to delete or corrupt other processes not listed here.
- Acronis TIB Mounter
- Comodo Backup
- Google Drive
- Macrium Reflect
Connects to a remote host
This malware communicates with a command and control (C2) server. We have seen it connect to URLs with the subdomain 000webhostapp.com, such as:
Analysis by Carmen Liang
Last update 07 October 2017