Home Malware Programs Ransomware CoNFicker Ransomware

CoNFicker Ransomware

Posted: April 18, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 101,219
First Seen: April 18, 2017
Last Seen: May 21, 2020
OS(es) Affected: Windows


The CoNFicker Ransomware is a threat whose name appears to be inspired by the Conficker worm, a threat that brought havoc to companies worldwide during 2008 and 2009 when it managed to cause damages worthing billions of dollars. Thankfully, the CoNFicker Ransomware is not associated with the original threat, and it is likely that the author has opted to plagiarize this name since it might mislead some users into thinking that they are messing with a more serious cyber threat. While it is good that the CoNFicker Ransomware is not linked to the worm, it is important to remind readers that crypto-threats should not be underestimated, and the CoNFicker Ransomware is, in fact, capable of causing a lot of damage if it infects a computer successfully.

The samples of the CoNFicker Ransomware that security researchers spotted online were found under names such as 'WinRar 2017.exe' or 'WinRar.exe,' which may mean that the author is spreading the CoNFicker Ransomware as a fake WinRar installer or updater. If users download and run the corrupted binary, they might unleash the CoNFicker Ransomware on their computers unknowingly, and this will enable the ransomware to encrypt their data and then offer to provide them with decryption instructions in exchange for money.

Not as Popular as Conficker, but Still Thretening

The files that the CoNFicker Ransomware locks are easy to spot since the threat is scripted to append the '.conficker' extension to all files it locks. To provide victims with instructions on what they need to do to get their data back, the CoNFicker Ransomware will change the desktop background to an image containing a shortened ransom note. Also, it will create a more detailed ransom note with the name 'Decrypt.txt,' and place it on the desktop.

'C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
#####
Attention! Attention! Attention! Your Files has been encrypted By C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
#####
Send 0.5 Bitcoin To @ 1sUCn6JYa7B96t4nZz1tX5muU2W5YxCmS @
#####
If Send 0.5 Bitcoin We will send you the decryption key C_o_N_F_i_c_k_e_r Decryptor'

The attacker demands 0.5 BTC (approximately $600) and does not provide any contact information. The lack of contact details is obvious, and it seems impossible for the attackers to provide a decryption key to victims since there's no way to get in touch with them. The ransomware does not appear to assign a unique victim ID, and it also uses a hard-coded Bitcoin wallet, which means that it is impossible to ensure the automatic decryption of the victim's files. These two things almost guarantee that the CoNFicker Ransomware's message is a fraud and users who pay the ransom sum will not end up getting their files back. Even if the contact information were present, it still would not be recommended to pay the ransom fee since there's no guarantee that the attackers will fulfill their part of the deal.

Unfortunately, the free decryption of the files locked by the CoNFicker Ransomware seems unlikely for now, and victims might need to look for an alternative way out of the unpleasant situation. The removal of the CoNFicker Ransomware can be taken care of with the use of a reputable anti-malware utility, but the recovery of the encrypted files might be a tricky task. Some 3rd-party file restoration utilites are likely to achieve partial success, but full recovery is impossible without the decryption key owned by the attackers.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



C:\Windows\system32\ggjpkals.ltf File name: ggjpkals.ltf
Size: 159.89 KB (159894 bytes)
MD5: 08f3ce046ff7efd50fd60bb3c6457a32
Detection count: 101,214
Mime Type: unknown/ltf
Path: C:\Windows\system32
Group: Malware file
Last Updated: May 21, 2020
file.exe File name: file.exe
Size: 162.81 KB (162816 bytes)
MD5: d9d3381b79fb6e35ba995b4a7ab58b4f
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 18, 2017

Related Posts

Loading...