07/02/2017
09:31

Trojan Renamer: a new family of ransomware that encrypts the name of file in unCrypte@INDIA.COM and asks a ransom.


The Trojan Renamer is a new ransomware that instead of encrypt the file, it encrypts the name with the algorithm AES, making each programs inaccessible.



TG Soft' s C.R.A.M. has identified a new family of ransomware on 1st Febraury that encrypts the name of files and not the contents.

The malware is classified as "Trojan.Win32.Renamer.A", because it renames each file, making inaccessible each programs and asks a ransom.

It's possible to recover the file with the original names without pay the ransom with the free tool Ninjavir of VirIT eXplorer.
 

INDEX

==> Trojan.Win32.Renamer how it manifests...
 
==> The ransom demanded by Trojan.Win32.Renamer

==> How recover the files renamed by Trojan.Win32.Renamer

==> How to protect yourself from CryptoMalware

==> What to do to mitigate the damage from CryptoMalware


==>
Final thoughts



Trojan.Win32.Renamer how it manifests...

The infection vector used by Trojan.Win32.Renamer is the attack at remote desktop (RDP) through the "Guest" user or other users with weak password.
When the delinquent is capable to enter in the victim's computer, he runs the paylod with the Trojan.Win32.Renamer.
In the case analysed on 1st February, the Trojan.Win32.Renamer was saved in the file:
  • File Name: smsss.exe
  • Size: 10.752 byte
  • MD5: D9943F2BE5FB3966F019A66C79CC1D81
  • Date of compilation: 01/02/2017 13.26.48

The first operation made by Trojan.Win32.Renamer is create a file called "Readme.txt" on desktop:

YOUR PERSONAL ID: 38392E39362E35352E3234353A33333939405345525645522D323031325C67756573743B
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail unCrypte@INDIA.COM
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 10Mb.
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

For each drive the Trojan.Win32.Renamer encrypts the filename and not the contents.
The following directories are excluded from the encryption of file name:
  • Windows
  • $Recycle.Bin
  • Config.Msi
  • MSOCache
  • System Volume Information
  • Recovery
In each folder it creates the file "ReadMe.txt".

The following files are not renamed:
  • Readme.txt
  • bootmgr
  • BOOTNXT
  • pagefile.sys
  • swapfile.sys
  • hiberfil.sys
  • loadmgr
Each file is renamed adding a initial prefix "unCrypte@INDIA.COM_" followed from the original file name encrypted with the algorithm AES 256:

unCrypte@INDIA.COM_FADD7F772EC4A6601466E441136E13ED
unCrypte@INDIA.COM_5447E3C55CE4844C94C9500F381335AA

The structure of renamed file is:
unCrypte@INDIA.COM_<aes256 of original filename>

The contents of file remains invariant, but the rename make each programs inaccessible.

 
Back to top

The ransom demanded by Trojan.Win32.Renamer

For know the ransom demanded is need to write an email to: unCrypte@INDIA.COM

This is been the request:
 
 


The author of Trojan.Win32.Renamer asks a ransom of 0,5 BTC, but we advice of don't pay the ransom, because is available a free tool for recover the file with thier original names.


Back to top

How recover the files renamed by Trojan.Win32.Renamer

For recover the files renamed by Trojan.Win32.Renamer without pay the ransom, it is possible use the free version of VirIT eXplorer Lite or the version PRO of VirIT eXplorer.
The tool Ninjavir updated for recover the files encrypted by Trojan.Win32.Renamer is available from the version 8.3.59 of VirIT eXplorer.
It is need upgrade VirIT eXplorer at version 8.3.59 and in the request case reboot your computer.
The free version of VirIT eXplorer Lite is download from: http://www.tgsoft.it/english/download_eng.asp

For recover the files run the tool Ninjavir of VirIT:
  • from Lite run the file: C:\VEXPLite\gui.bat
  • from PRO run the file: c:\viritexp\gui.bat
After some seconds it will show the window of Ninjavir, please select the menu Decoder->Decrypt Renamer:



Will show the dialog box:




The current version of tool will decrypt the files with prefix: unCrypte@INDIA.COM_
Please select the desired directory through the button "Browse source" for decrypt the files renamed by Trojan.Win32.Ransom.

We advice of try the decrypt on test folder and after proceed on all disk.
In the case of a new version of Trojan.Win32.Renamer please contact TG Soft at address email:
  • version PRO: assistenza @ viritpro.com
  • version LITE: lite @ virit.com
Back to top
 

How to protect yourself from CryptoMalware

Tecnologie euristico-comportamentali AntiRansomware protezione Crypto-Malware. integrate in Vir.IT eXporer PRO
Vir.IT eXplorer Pro is already able to block the crypto-Malware on early stage.

As already reported, the Vir.IT eXplorer Pro's Anti-CryptoMalware technology when properly installed, configured, updated and used, has held up very well to these attacks managing to save the encryption up to 99.63% of the files and allowing the recovery of encrypted files in the initial phase of the attack up to 100% thanks to the integrated BackUp technologies.



 
Back to top

What to do to mitigate the damage from CryptoMalware

When the Alert screen on the side appears means that the Vir.IT eXplorer Pro's Anti-CryptoMalware integrated protection is acting and so, avoiding getting caught by the "panic" NOT close the window and perform the steps that are indicated:

  1. Make sure that Vir.IT eXplorer Pro is UP-TO-DATE;
  2. UNPLUG ETHERNET and/or EVERY NETWORK CABLE- by doing this, the computer will be phisically isolated from the network, thus containing the attack inside just one machine.
  3. PERFORM FULL SCAN using Vir.IT eXplorer Pro.
  4. DO NOT REBOOT OR TURN OFF THE COMPUTER in order to avoid further encryption, as stated before.
In case of cryptomalware attack you should get in touch with Vir.IT eXplorer PRO's Tech Support as soon as possible. You can write an email to assistenza@viritpro.com, or call +39 049 631748 - +39 049 632750, Mon-Fri 8:30-12:30 and 14:30-18:30.
Videata protezione Anti-CryptoMalware integrata in Vir.IT eXporer PRO
Clicca per ingrandire l'immagine
 
99,63%

Average percentage Expectation of protected files from encryption thanks to Vir.IT eXplore PRO's Anti-CryptoMalware protection 
Check the information



Back to top


Final thoughts:

If you opened an infected attachment and has been started the encryption, you could:
  1. you have Vir.IT eXplorer Pro installed, correctly set up, up-to-date and running on your pc - in this case, you must follow the instructions on the Alert message and you will manage to save AT LEAST 99.63% of your data;

  2. you have a AntiVirus software that DOESN'T DETECT, signal and halt the ongoing encryption - in this case you still could do

    • UNPLUG EVERY NETWORK CABLE

    • LEAVE YOUR COMPUTER TURNED OFF - every time the computer is rebooted and the malware is still active, a new encryption key will be used and the amount of money demanded as ransom will increase (note that paying the ransom does not guarantee the decryption and is therefore highlynot recommended)

Either way, remain calm and do not panic.




TG Soft - C.R.A.M.
Anti-Malware Research Center

Back to top



Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: