Home / malwarePDF  


First posted on 31 January 2018.
Source: Microsoft

Aliases :

There are no other names known for Ransom:MSIL/Paggalangrypt.A!rsm.

Explanation :

This ransomware creates the following registry entry so that it automatically starts with your PC:

In subkey: HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run Sets value: WindowsEnc With data:

It downloads a JPEG file, which it later uses as the ransom note, from the following location:


File encryption

This ransomware searchers for files to encrypt in all folders except the following:

  • Windows
  • Program Files
  • Program Files (x86)

It encrypts files with the following extensions using AES encryption:
  • .c
  • .jpg
  • .mp3
  • .mp4
  • .pdf
  • .png
  • .py
  • .txt

It also renames encrypted files by adding the extension .enc. For example:
  • file.png is renamed to file.png.enc
  • file.txt is renamed to file.txt.enc

Ransom note

It sets the following image as the desktop wallpaper to display ransom information.

Last update 31 January 2018