WininiCrypt Ransomware

The WininiCrypt Ransomware is a Trojan that encrypts your media so that it can demand Bitcoin payments for providing a decryption solution. Attacks by the WininiCrypt Ransomware are most likely to impact content such as text documents, pictures, and other, commonly-used formats, and may show no symptoms until after the file damage occurs. In addition to keeping spare copies of your media in locations not open to attack, you can protect your computer from this threat by having anti-malware products deleting the WininiCrypt Ransomware automatically.

A Working Facsimile of a 'Globe' of Trojan Attack

The Globe Ransomware, as a family, is often subjected to imitation by other Trojans trying to use its publicity to encourage equally successful ransom transactions for themselves. For some campaigns, such as that of the just-identified the WininiCrypt Ransomware, the Trojan in question even may be using a coding environment with a very different basis, like Microsoft's .NET Framework. However, many of its symptoms are similar to that family, confusing any efforts at reversing the damages of an infection potentially.

Contrasting with many of the copy-cat Trojans malware analysts have noted in the past few weeks, the WininiCrypt Ransomware is in the distribution phase of its campaign and is attacking targets with encryption-based payloads actively. The Trojan scans for local content to block with encryption, such as documents, and also erases any traces of default backups, including the Windows Shadow Copies. The now non-opening files are detectable by the new extensions the WininiCrypt Ransomware appends to their names, consisting of the threat actor's Yandex-based e-mail address, in brackets currently.

The WininiCrypt Ransomware also creates a local Web page nearly identical to the ones used by variants of the Globe Ransomware, which gives the victim a ransom demand. The threat actor also offers an early demonstration of his decryption help for no charge, although insisting on Bitcoin currency, as usual, prevents the victim from refunding anything they choose to pay. Malware experts still are researching the viability of free decryption for the WininiCrypt Ransomware, which uses an unidentified enciphering method.

Bringing a Globe's Worth of Ransoms to a Halt

The WininiCrypt Ransomware using previously-identified ransom notes from other campaigns is more than just a psychological tool; it also is a way to keep victims from finding out which decryption utility is compatible with any encoded files. Since running an inappropriate decryption program on encrypted media can cause additional damage, you always should create copies of your data for experimental recovery purposes. Submitting samples of the WininiCrypt Ransomware's executable and related components to reliable security researchers also may help the development of appropriate solutions.

Most file-encrypting threats prefer such vectors as e-mail and website exploit kits for installing themselves, particularly in targeted attacks against for-profit entities. Users should expect any incoming installers for the WininiCrypt Ransomware to use disguises pertinent to their interests or occupation, including references to the company in question. Although most anti-malware applications should remove the WininiCrypt Ransomware automatically, post-infection, you should scan the entire PC, to be sure of deleting all related threats.

Other than being limited to .NET-compatible, Windows machines, the WininiCrypt Ransomware has a potential broad access to different environments for holding their data hostage. Although the WininiCrypt Ransomware is an imitation of the real Globe Ransomware, it's just as good at causing file-related problems for anyone without a recent, non-local backup.

Technical Details