Since this ransomware is using social engineering technique with disguising file name and property value general users need to be careful to avoid this social engineering technique. Upon infected, ransomware can induce user for money. The most important thing is prevention for being infected.
2. Spreading path and symptoms of infection
Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.
One of the biggest features is that it was disguised as Flash Player's file name and icon.
General users can execute this malicious file due to its icon and file name. Upon executed, this following figure will be shown on infected PC.
To use PC normally, it requires certain keys to be inputted. To acquire key, this page induces sending certain
amount of money. After infected, only input field is activating for inputting code. Following process describes malicious behavior on executing this malicious file.
We found that additional malicious file will be created and certain process(exeplorer.exe) will be killed, also we can see the registered information on registry.
"swap32.exe", additionally generated, is a clone file of "flashplayer.exe", which can be run in concurrence with Explorer.exe based on this registry values.
This ransomware has valid code for comparing inputted value by user.
Valid code can be found by tracing as follow.
* Valid code for unlock
3. How to prevent
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.