On September 25, 2015, a new variant of ransomware crypto-malware was discovered, classified as Trojan.Win32.CryptoFF.A
The Trojan.Win32.CryptoFF.A is a ransomware that encrypts documents all drives (local and remote) connected to your computer, demanding a ransom of 5 bitcoin in order to unlock your files.

The CRAM (Anti-Malware Research Center of TG Soft) team has analyzed this new variant of crypto-malware.

The file analyzed "4729.tmp" was found in the temporary folder of a computer hit by Trojan.Win32.CryptoFF.A We don't have any more information as this malware spreads.

Name file: 4729.tmp
MD5: f437629253f2352550f924f8e4a40dd4
Size: 330240 byte

When running the Trojan.Win32.CryptoFF.A,  it creates a temporary file in: %temp%\83sa9Pd.txt
And then immediately starts to encrypt the files.

When finds the first victim, it will do the following things:

1) open the document
2) encrypt the document
3) rename the original file with extension ".0x0" (e.g.  mydocument.doc -> mydocument.doc.0x0)

In each folder, it will create 2 files:
secret.key (size: 1368 byte)
FUCKEDFILES.txt (size: 158 byte)

The file "secret.key" contains a key in UUencode, after it's decoded, it will obtain a key of 1024 byte.
The file "FUCKEDFILES.txt" contains instructions to recover the file encrypted:

email me if you want your files back: file1@openmailbox.org or file1@inbox.lv (add these emails to your whitelist or check your junk/spam folder)

At this point, we have sent an mail at address above, asking the amount of ransom.
They replied asking of ransom of 5 bitcoins (about 1000,00 euro), as we can see in their reply:

hi, you need to pay 5 bitcoins to get the files back. How to get bitcoins? 1. Bitcoin ATMs www.coinatmradar.com 2. www.localbitcoins.com - easiest 3. google: buy bitcoins

From the mail receive, we can guess the are 8 hours of difference, and they are +8 hours than us, so with a time zone +9 than Greenwich, they are probably based in Russia (Siberia).

The Trojan.Win32.CryptoFF.A removes the volume shadow copies with this command:
cmd.exe /Q /C vssadmin.exe delete shadows /all /quiet

And it uses low-level cryptographic primitives of library Opensource CRYPTOGAMS by <appro@openssl.org>.

The Trojan.Win32.CryptoFF.A encrypts the first 16 bytes of files with the following extensions:

.3dm .3ds .3fr .3g2 .3gp .3pr .7z .ab4 .ac2 .accdb .accde .accdr .accdt .ach .acr .adb .agd1 .ai .ait .al .apj .apk .arw .asf .asm .asp .asset .asx .avi .awg .back .backup .backupdb .bak .bar .bay .bc6 .bc7 .bdb .bgt .big .bik .bkf .bkp .blend .blob .bpw .bsa .c .cas .cdf .cdr .cdr3 .cdr4 .cdr5 .cdr6 .cdrw .cdx .ce1 .ce2 .cer .cfp .cfr .cgm .cib .cls .cmt .cpi .cpp .cr2 .craw .crt .crw .cs .csh .csl .css .csv .d3dbsp .dac .das .db .db0 .db3 .dba .dbf .dc2 .dcr .dcs .ddrw .dds  .der .des .desc .design .dgc .djvu .dmp .dng .doc .docm .docx .dot .dotm .dotx .drf .drw .dtd .dwg .dxb .dxf .dxg .eml .epk .eps .erbsql .erf .esm  .exf .fdb .fbk .ffd .fff .fh .fhd .fla .flac .flv .forge .fos .fpk .fpx .fsh .fxg .gdb .gho .gray .grey .gry .h .hbk .hkdb .hkx .hplg .hpp .hvpl  .ibank .ibd .ibz .icxs .idx .inc .incpas .itdb .itl .itm .iwd .iwi .java .jpe .jpeg .jpg .js .kc2 .kdb .kdbx .kdc .key .keystore .kf .kpdx  .layout .lbf .litemod .lrf .ltx .lua .lvl .m .m2 .m3u .m4a .m4v .map .max .mcmeta .mdb .mdbackup .mdc .mddata .mdf .mef .menu .mfw .mlx .mmw .moneywell  .mos .mov .mp3 .mp4 .mpg .mpqge .mrw .mrwref .msg .myd .ncf .nd .ndd .nef .nk2 .nop .nrw .ns2 .ns3 .ns4 .nsd .nsf .nsg .nsh .ntl .nwb .nx1 .nx2 .nyf  .oab .obj .odb .odc .odf .odg .odm .odp .ods .odt .orf .ost .otg .oth .otp .ots .ott .p12 .p7b .p7c .pab .pak .pas .pat .pcd .pct .pdb .pdd .pdf .pef  .pem .pfx .php .pkpass .pl .png .pot .potm .potx .ppam .pps .ppsm .ppsx .ppt .pptm .pptx .prf .ps .psafe3 .psd .psk .pst .ptx .py .qba .qbb .qbm .qbr  .qbw .qbx .qby .qdf .qic .r3d .ra2 .raf .rar .raw .rb .rdb .re4 .rgss3a .rim .rm .rofl .rtf .rw2 .rwl .rwz .s3db .sav .sb .sd0 .sd1 .sda .sdf .sid  .sidd .sidn .sie .sis .sldm .sldx .slm .snx .sql .sqlite .sqlite3 .sqlitedb .sr2 .srf .srt .srw .st4 .st5 .st6 .st7 .st8 .stc .std .sti .stw .stx  .sum .svg .swf .sxc .sxd .sxg .sxi .sxm .sxw .t12 .t13 .tax .tex .tga .tib .tlg .txt .upk .vcf .vdf .vfs0 .vob .vpk .vpp_pc .vtf .w3x .wallet .wav  .wbcat .wma .wmo .wmv .wpd .wps .x3f .xf .xla .xlam .xlk .xll .xlm .xlr .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .ycbcra .yuv .zip .ztmp  .wim .swm .ctb .113 .73b .a3d .abf .abk .prproj .bck .aep .as4 .asvx .ate .iso .gif .html .htm .shtm .shtml .con .bin .mpq .cab .NetCDF .DTAUS  .DICOM .CCD .QBO .QFX .QIF .emlx .EDI .DTA .data .epub .spf .SDXF .XMI .dwfx .dgb .dc3 .wbb .win .trn .bcm .bb .bakx .ati .keystore .MPEG-2 .pub  .WIF .SUB .IMG .MDS .GPX .IFF .MPEG-4 .DivX .MPEG-1 .mpg .vob .fb2 .pdb .mobi .azw .azw4 .qt .ldf .sldprt .cpt .m2v .mkv .sbs .dat .dt .nbd .sldasm  .rx2 .pz3 .tbl .tis .sna .sn1 .gbk .iv2i .m3d .fbf .fbw .fbx .cf .bac .xlsk .pwm .wab .1cd .wdb .jar .tar .b1 .chm .chi .chq .chw .hxs .hxi .hxr .qvw  .sln .suo .lic .rpt .gros .model .ark .hxq .hxw .lit .xar .z .dmg .cb7 .cbr .cbt

Clean:
VirIT version 8.0.13 and later.


Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft