WininiCrypt Ransomware
Posted: August 11, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 35 |
First Seen: | August 11, 2017 |
---|---|
Last Seen: | September 11, 2021 |
OS(es) Affected: | Windows |
The WininiCrypt Ransomware is a Trojan that encrypts your media so that it can demand Bitcoin payments for providing a decryption solution. Attacks by the WininiCrypt Ransomware are most likely to impact content such as text documents, pictures, and other, commonly-used formats, and may show no symptoms until after the file damage occurs. In addition to keeping spare copies of your media in locations not open to attack, you can protect your computer from this threat by having anti-malware products deleting the WininiCrypt Ransomware automatically.
A Working Facsimile of a 'Globe' of Trojan Attack
The Globe Ransomware, as a family, is often subjected to imitation by other Trojans trying to use its publicity to encourage equally successful ransom transactions for themselves. For some campaigns, such as that of the just-identified the WininiCrypt Ransomware, the Trojan in question even may be using a coding environment with a very different basis, like Microsoft's .NET Framework. However, many of its symptoms are similar to that family, confusing any efforts at reversing the damages of an infection potentially.
Contrasting with many of the copy-cat Trojans malware analysts have noted in the past few weeks, the WininiCrypt Ransomware is in the distribution phase of its campaign and is attacking targets with encryption-based payloads actively. The Trojan scans for local content to block with encryption, such as documents, and also erases any traces of default backups, including the Windows Shadow Copies. The now non-opening files are detectable by the new extensions the WininiCrypt Ransomware appends to their names, consisting of the threat actor's Yandex-based e-mail address, in brackets currently.
The WininiCrypt Ransomware also creates a local Web page nearly identical to the ones used by variants of the Globe Ransomware, which gives the victim a ransom demand. The threat actor also offers an early demonstration of his decryption help for no charge, although insisting on Bitcoin currency, as usual, prevents the victim from refunding anything they choose to pay. Malware experts still are researching the viability of free decryption for the WininiCrypt Ransomware, which uses an unidentified enciphering method.
Bringing a Globe's Worth of Ransoms to a Halt
The WininiCrypt Ransomware using previously-identified ransom notes from other campaigns is more than just a psychological tool; it also is a way to keep victims from finding out which decryption utility is compatible with any encoded files. Since running an inappropriate decryption program on encrypted media can cause additional damage, you always should create copies of your data for experimental recovery purposes. Submitting samples of the WininiCrypt Ransomware's executable and related components to reliable security researchers also may help the development of appropriate solutions.
Most file-encrypting threats prefer such vectors as e-mail and website exploit kits for installing themselves, particularly in targeted attacks against for-profit entities. Users should expect any incoming installers for the WininiCrypt Ransomware to use disguises pertinent to their interests or occupation, including references to the company in question. Although most anti-malware applications should remove the WininiCrypt Ransomware automatically, post-infection, you should scan the entire PC, to be sure of deleting all related threats.
Other than being limited to .NET-compatible, Windows machines, the WininiCrypt Ransomware has a potential broad access to different environments for holding their data hostage. Although the WininiCrypt Ransomware is an imitation of the real Globe Ransomware, it's just as good at causing file-related problems for anyone without a recent, non-local backup.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:c:\Users\<username>\desktop\ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f.exe
File name: ba15c27f26265f4b063b65654e9d7c248d0d651919fafb68cb4765d1e057f93f.exeSize: 1.24 MB (1249144 bytes)
MD5: 3b200c8173a92c94441cb062d38012f6
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\desktop
Group: Malware file
Last Updated: April 1, 2019
yxugwjud.exe
File name: yxugwjud.exeSize: 1.25 MB (1254264 bytes)
MD5: 16bcc3b7f32c41e7c7222bf37fe39fe6
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.