AutoEncryptor Ransomware

Posted: April 17, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	14

First Seen:	April 17, 2017
Last Seen:	August 17, 2022
OS(es) Affected:	Windows

The AutoEncryptor Ransomware is a Trojan that uses encryption to lock your files from opening and sells the key to unlocking them for Bitcoins. For most users, backups can offer a high degree of safety from the attacks occurring after infection by a file-encoding threat like this Trojan. In other cases, you should strive to use good anti-malware protection that blocks and removes the AutoEncryptor Ransomware during any of its installation exploits, such as compromised e-mail attachments.

New Trojans with Familiar-Looking Ransoms

Ransom-based Trojan campaigns may gain some value from being recognizable to the people whose files they're holding hostage individually, but brand recognition often balances against the need for efficient development. One team of threat actors is taking the fast and easy approach to ransoming files by using a preexisting template that malware experts see accompanying the WinSec Ransomware attacks. The new Trojan, the AutoEncryptor Ransomware, drops translated versions of the WinSec Ransomware's messages to make them more suitable against English-speaking targets.

Like that past Trojan and other Trojans built from the open-source basis of Hidden Tear, the AutoEncryptor Ransomware uses an AES algorithm as a primary encryption method for locking all the files on your computer. The AutoEncryptor Ransomware also uses a second, RSA algorithm to protect this process from any third-party decryption efforts and uploads the decryption key to a Command & Control server. Other side effects of the AutoEncryptor Ransomware infections that malware experts are corroborating include:

The AutoEncryptor Ransomware adds its personal extension to every locked file The AutoEncryptor Ransomware inserts the '.enc' extension after any original one instead of replacing it (for example, 'document.doc.enc') and doesn't overwrite the rest of the filename.
The most visible symptom of the AutoEncryptor Ransomware is its advanced HTML pop-up that delivers its extortion demands for the decryption key. Currently, the authors are using a built-in, multiple-step interface to ask for 10000 in Bitcoins, which most likely is a placeholder amount. The note's use of English is significant since past variants used more regionally specific languages, such as Portuguese.
Victims also should expect the AutoEncryptor Ransomware to delete any local backups automatically, such as the Windows Shadow Copies.

Decoding the Cheap Solution to Auto-Extorting Threats

In the unlikely event that they're legitimate, the AutoEncryptor Ransomware's current ransoming demands would make it, by far, the most expensive and presumptive file-encrypting threat on the threat marketplace. Possible victims could expect infections from such well-used exploits as e-mail attachments with Trojan downloaders embedded into document macros, website-hosted variants of the RIG Exploit Kit, or even brute-force attacks that compromise your local network's passwords directly. Disabling macros, using security tools to scan unusual downloads, turning browser scripts off by default and using strong-rated passwords can reduce or eliminate these security risks.

Since malware experts are rating the AutoEncryptor Ransomware as a probable derivative of the Hidden Tear family, victims should refrain from relying on their local backups to recover any encoded media. Free decryption software sometimes can reverse the file damages that these attacks cause, but many infections aren't fully recoverable without you restoring it from a non-local backup. Quarantining or deleting the AutoEncryptor Ransomware with anti-malware tools, while necessary for your PC's security, will not unlock any documents or other files that the Trojan is encrypting.

The AutoEncryptor Ransomware may be just the start to a cross-regional branching of the attacks that malware experts saw with the WinSec Ransomware. If that's the case, PC users in any country should be backing up their drives periodically to avoid needing to consider its enormous ransoms.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

dir\name.exe

File name: name.exe
Size: 126.87 KB (126872 bytes)
MD5: 05950b038b5781d940c939a3af3ecd32
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: August 17, 2022