Analysis by: Nikko Tamana

 ALIASES:

Trojan-Ransom.Win32.Crypren.adyo (Kaspersky), Ransom:Win32/Genasom (Microsoft), a variant of Win32/Filecoder.Gibon.A trojan (NOD32), W32/Crypren.ADYO!tr (Fortinet)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Ransomware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It is capable of encrypting files in the affected system.

It drops files as ransom note.

  TECHNICAL DETAILS

File Size: 535040 bytes
Initial Samples Received Date: 02 Nov 2017

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Ransomware connects to the following possibly malicious URL:

  • http://makar.melk{BLOCKED}mple.com

It is capable of encrypting files in the affected system.

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

  • .encrypt

It drops the following file(s) as ransom note:

  • {folder path of encrypted files}\READ_ME_NOW.txt