Home Malware Programs Ransomware PSCrypt Ransomware

PSCrypt Ransomware

Posted: June 26, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 58
First Seen: June 26, 2017
OS(es) Affected: Windows

The PSCrypt Ransomware is a member of the Globe Imposter Ransomware family. It may imitate some of the symptoms of the Globe Ransomware while also including similar attacks, such as encrypting your files, changing their names, and creating messages that ask for money. Backup your files to keep them from being at risk from encryption-based attacks and use automated anti-malware analysis to detect and delete the PSCrypt Ransomware as quickly as possible.

Ukraine Gets New Problems in the Form of Bitcoin Thieves

Even a single day can mean a lot to the threat black market and the anti-malware industry that defends against it, with twenty-four hours being more than ample time for well-organized campaigns to get underway. The PSCrypt Ransomware is demonstrative of the kind of rapid deployment plans that threat actors can use when they already have most of their code from preexisting sources particularly. Malware experts are confirming this Trojan's build for having rapid and widespread distribution in the wild, with the infections apparently being targeted attacks.

The PSCrypt Ransomware's authors are installing this to business sector-based systems, although the method in question, such as e-mail spam, EKs, or brute-forcing, is under investigation. Compromised entities are predominantly Ukrainian, although other areas, such as Europe and Russia, also are under attack. After infecting the PC, the PSCrypt Ransomware begins an encryption routine that locks your files and appends the '.pscrypt' extension to their names, all without any symptoms until after the fact.

Through an HTML file it places in the same folder as the locked media, the PSCrypt Ransomware also provides ransoming instructions for recovering the blocked data. Although the message has step-by-step Ukrainian text to ask for Bitcoins, malware experts suspect that the threat actors are using an automatic translation tool, rather than being native speakers.

Keeping Extortion Profits Down While the Globe Keeps On Spinning

The PSCrypt Ransomware's new extension and ransoming text both imply that either new threat actors are using the old code of the Globe Imposter Ransomware, or the old ones are making significant updates to their campaign. Although Ukrainian businesses are especially at risk of being targeted by these attacks, those in other nations also should remain on guard for vulnerabilities. Malware experts often associate the brute-forcing of logins or fake e-mail attachments with attacks against members of the business sector.

Since decrypting the PSCrypt Ransomware for free has yet to be made possible, victims without backups will have no other options for guaranteeing the recovery of anything that the Trojan encrypts. The Trojan also deletes SVC-based backup data, and you should save backups to another device, when possible, to keep them from being at risk.

Different anti-malware programs may block many, if not necessarily all, of the possible infection methods that are popular with file-encrypting Trojans. Whether you choose to recover your media or delete it, always scan the compromised PC with anti-malware tools that can remove the PSCrypt Ransomware and any other threats that might be part of the attack. The PSCrypt Ransomware, like most Trojans of its payload type, doesn't duplicate itself without external assistance.

As far as threat actors are concerned, nowhere is a safe living space to be free from the potential for extortion. Taking good care of your files and your computer, whether at home or the workplace, is a money-saving venture when compared to dealing with unforeseen the PSCrypt Ransomware infections.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



wmodule.exe File name: wmodule.exe
Size: 228.86 KB (228864 bytes)
MD5: e8c2b4a8335c513a92388dcfe595f0e5
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: June 27, 2017
Loading...