Home / malware
First posted on 31 January 2018.
There are no other names known for Ransom:MSIL/Paggalangrypt.A!rsm.
This ransomware creates the following registry entry so that it automatically starts with your PC:
In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run Sets value: WindowsEnc With data:
It downloads a JPEG file, which it later uses as the ransom note, from the following location:
This ransomware searchers for files to encrypt in all folders except the following:
- Program Files
- Program Files (x86)
It encrypts files with the following extensions using AES encryption:
It also renames encrypted files by adding the extension .enc. For example:
- file.png is renamed to file.png.enc
- file.txt is renamed to file.txt.enc
It sets the following image as the desktop wallpaper to display ransom information.
Last update 31 January 2018