Home / malware Ransom:Win32/Dereilock.A
First posted on 06 January 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Dereilock.A.
Explanation :
Installation
This threat drops the following copy of itself:
- %AppData%\roaming\microsoft\windows\start menu\programs\startup\logon.exe
It may download an updated copy of itself from the following URLs:
- hxxp://arizonacode.bplaced .net/HF/SystemLocker/UNLOCKKEYS/LOGON.exe
- hxxp://arizonacode.bplaced .net/HF/SystemLocker/unlock-everybody.txt
Payload
Encrypts files
This threat encrypts all files in the same folder where it is dropped and executed.
It adds the following file name extension for encrypted files:
- .deria
It displays any of the following messages:
Clicking the "OK" button brings up the ransom note, which contains instructions how to pay the ransom via Skype:
It displays the following message if you try to terminate its process:
Terminates processes
This threat terminates processes with names that contain any of the following strings:
- Certmgr
- Control
- Cscript
- Procexp
- procexp32
- procexp64
- Utilman
Analysis by Francis Tan SengLast update 06 January 2017
