|Short Description||This ransomware type belongs to crypto locker ransomware. This encrypts the files and then demands the ransom from the victim. This infects all the version of windows.|
|Symptoms||The wallpaper will be changed, some files become inaccessible.|
|Distribution Method||Infected email messages, exploit kits, fake software updates.|
This ransomware was basically known as Scraper ransomware this was basically found more in japan. The number of victims that got affected by this ransomware are from japan. This remands the ransom payment of minimum 300$ inorder to decrypt the encrypted files.
This is written in assemble that uses the Tor network to contact the C&C server and proxy server Polipo. There are two version in this one is in English that is the version 1.0 and the other one is in Japanese that is the version 2.0. In the first version the daditonal modules required are extracted within the data section whereas in the second they are downloaded from the internet. But the file encryption algorithm are same in both the ransomware versions.
Once this is launched In the victim device it starts to decrypt with the 256-AES key. The first 4 of this key bytes are used as the sample ID that are added to the end of the encrypted files. Then it is copied to a temporary file that is created in the user section of the victim’s device.
Next it starts to create several threads to carry out the following operations.
It terminates the task manager process, delete all the system recovery options, changes the registry setting so that it can boot by itself whenever the system is restarted. Themn it starts to encrypt the files on the victim device, some of the targeted extension by this ransomware are as given below.
Once these are done a Bmp image is saved and then it is placed as a desktop wallpaper.
Then it downloads the tor.exe file and poipo.exe in order to communicate with the servers.