April 16, 2018
The new encryption Trojan was dubbed Trojan.Encoder.25129. The preventive protection of Dr.Web Anti-virus automatically detects it as DPH:Trojan.Encoder.9. Once launched, the Trojan checks the user’s location based on the infected device’s IP address. Cybercriminals designed the malicious program so that it does not encrypt files if the device is located in Russia, Belarus and Kazakhstan, or if the Russian language and Russian regional parameters are set in the system preferences. However, the encoder encrypts all files regardless of the IP address’s geographical location due to the code error.
Trojan.Encoder.25129 encrypts the content of the current user’s folders, Windows Desktop, the AppData and LocalAppData system folders. The encryption is processed using the AES-256-CBC algorithms. The encrypted files are appended the extension “.tron”. Files that exceed 30,000,000 bytes (about 28.6 MB) are not encrypted. Once the encryption is over, the %ProgramData%\\trig file is created and the “123” value is written into it (if this file already exists, the encryption is not performed). The Trojan then sends a request to the iplogger website. The website address is hardcoded into the program’s body. The malicious program then displays a window with ransom demands.
The size of the ransom that cybercriminals demand differs from 0.007305 to 0.04 Btc. Once the HOW TO BUY BITCOIN button is clicked, the Trojan displays a window with instructions on how to buy the Bitcoin cryptocurrency:
In spite of cybercriminals’ claims that victims can restore the encrypted files, it is impossible in most cases due to the code error.
The encoder does not pose any threat to Dr.Web users. The preventive protection of our anti-virus products successfully detects and removes the Trojan. At the same time, Doctor Web specialists encourage users to make timely backups of their most valuable data.
Use Data Loss Prevention to protect your files from encryption ransomware
Configure protection from encryption ransomware | Video about configuration | What to do if... | Free decryption | Category “Encrypt everything” |
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments