Home Malware Programs Ransomware EnkripsiPC Ransomware

EnkripsiPC Ransomware

Posted: December 21, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 72
First Seen: December 21, 2016
Last Seen: May 12, 2020
OS(es) Affected: Windows

The EnkripsiPC Ransomware is a Trojan that locks the files on your PC and uses a pop-up to ask you to contact its threat actors on how to pay to unlock them. Since these ransom payments often, if not necessarily always, backfire on their victims, malware experts encourage using other recovery strategies that don't give con artists a financial incentive for their attacks. Active anti-malware products with recently updated databases should find and delete the EnkripsiPC Ransomware before this Trojan can lock any content.

How to do Social Network with Con Artists

File-encoding Trojans that create profit by selling their victims' data back to them are a well-known phenomenon, but different threat actors may make use of them in slightly different ways. The installation method, the ransom currency, the types of files to attack, the nature of the data encryption, and even the communication method all are details malware experts see rotating through different strategies. The EnkripsiPC Ransomware, as an example, is one of the few Trojans of this type including social networking-based contact options.

The EnkripsiPC Ransomware is a member of a small family of Trojans known as the DetoxCrypto Ransomware, with this new release targeting Indonesians. After it installs itself, the EnkripsiPC Ransomware encrypts specific file formats with an AES-based algorithm and appends the '.fucked' extension to all their filenames, blocking them. Then, it loads an HTA pop-up, during which it also may play an accompanying audio warning or lock you out of accessing the Windows desktop.

The EnkripsiPC Ransomware's Indonesian-language pop-up asks for payment in Indian rupiahs (equivalent to over seven hundred USD, minimum) before giving you the decryption code, which is custom according to the name of each infected PC. The contact methods in use for paying this ransom are ones malware experts would associate with an amateur operation: redundant Gmail e-mail, YouTube, and even Facebook accounts. Its threat actor most likely is including multiple, redundant lines of communication to compensate for the authorities terminating each account as it's connected with illicit activity.

Keeping a Vulgar Extension Off Your Data

Besides blocking data like documents or pictures, the EnkripsiPC Ransomware also may auto-terminate essential security applications or take extra steps for guaranteeing its persistence on the system. Past campaigns by this family also have been known to use a high level of social engineering tactics, both for installing themselves and misrepresenting the nature of their payloads. Using complicated, regularly changed passwords to protect network-accessible PCs and scanning anything downloaded before opening it are two of the most relevant ways of protecting yourself from this threat.

Thanks to a third-party security researcher, the EnkripsiPC Ransomware does have a free decryptor that victims may wish to use for recovering any encrypted content without making any ransom payments. Before doing so, use appropriate anti-malware products for detecting and uninstalling the EnkripsiPC Ransomware, which is likely to use one or more components with misleading names (such as those of a Windows service). Readers also should note that, as usual, the presence or absence of the EnkripsiPC Ransomware's custom extension tag doesn't impact the encryption that's locking your files either positively or negatively.

Families of threats like the DetoxCrypto Ransomware continue benefiting from the rental-based business models that let threat actors deploy them in numerous, flexible ways. Whenever new versions of these old threats appear, like the EnkripsiPC Ransomware, they're strong reminders that threatening software is a problem evolving and adapting for virtually any PC that has contact with other ones constantly.