AndreaGalli Ransomware

The AndreaGalli Ransomware is a file-locking Trojan that keeps your files from opening by encrypting them and creates messages demanding money for a decryption solution. This threat is especially likely of distracting its victims by creating fake Java errors, which may display themselves during the installation process or while the encryption is ongoing. Abiding by appropriate backup strategies can keep your local data safe from file-locking Trojans of all types, and traditional anti-malware applications can delete the AndreaGalli Ransomware safely.

Your Java Update isn't What You Think

New threat actor, Andrea Galli is developing a file-locking Trojan that incorporates fake updates into both its distribution exploits and its final payload. The AndreaGalli Ransomware is identified by malware analysts as a brand-new threat tentatively, although some of its internal file details associate it with 2013's CryptoLocker, and other PC security organizations are speculating of a relationship with the well-known Hidden Tear. Its familial history aside, the AndreaGalli Ransomware represents a direct danger to any non-backed up files, such as documents on the PCs that it infects.

The AndreaGalli Ransomware's small Windows executable is in circulation with filenames identifying it as being a supposed update for the Java Runtime Environment – a software package in use in gaming, social networking applications and other programs. This file is larger than that of the average file-locker Trojan, such as Hidden Tear's typical one hundred kilobytes, but, still, under a megabyte and, therefore, quickly downloadable. Malvertising, or compromised Web advertising, is a particularly critical infection vector with threats disguising themselves as being updates for a widely-used product like Java.

Galli continues the tactic by embedding an aspect of it into the Trojan's payload, which generates a Windows message box. The pop-up imitates an error message associated with the Windows Registry keys for Java, which is likely for distracting the victim while the Trojan attacks any local media. The file-locking that follows uses an encryption method that malware experts aren't able to identify in the samples available, and could block content such as documents (DOC, PDF, TXT), spreadsheets (XLS), pictures (JPG, BMP, GIF) and others. The AndreaGalli Ransomware uses the generic '.locked' extension for a visible indication in the filenames.

Sorting Out the Good Java from the Bad

Some of the various defenses that malware experts recommend against fake software updates include disabling vulnerable Web content, such as JavaScript and pop-ups, auto-blocking all domains associated with illicit activity like the drive-by-download attacks of exploit kits, and keeping your Web browser of choice up-to-date. While this threat's development is unfinished, file-locker Trojans take a minimum of time for experienced programmers to complete since public resources for them are available from numerous sources (see also: Hidden Tear, Vortex Ransomware, et al.).

Users requiring Java updates should use the official website (java.com) for that purpose, as with any other update package that threat actors could hijack the brand name of for harmful purposes. In general, file-locking Trojans also depend on the absence of remote backups, and keeping copies of your files on other devices can defeat encryption or deletion-based attacks against your PC. Anti-malware products are just beginning to detect and delete the AndreaGalli Ransomware accurately as a threat, and malware experts expect the industry's rates of detection to rise over the coming weeks.

PC users depend on products like Flash, Java, and JavaScript for many of the basics of both work productivity and entertainment. They always should remember that criminals are aware of that equally and a Trojan like the AndreaGalli Ransomware can subvert that familiarity to drastic effect.