Ransom:Win32/Ascrirac.A

Installation

This malware installs a copy of itself and the following files in the %APPDATA% or %APPDATA%\Roaming\ folders:

• bitmsg.db-journal or bitmsg.db
• help.html
• key.dat
• log.html

It makes the following changes to the registry to ensure that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: crypto12
With data: "<malware file name>"

Payload

Encrypts your files

This threat encrypts files on your PC from fixed and remote drives to prevent you from accessing them.

The malware encrypts files it finds with the following extensions:

It communicates with Tor, an encrypted network, to retrieve an encryption key.

Displays a message

This threat displays a dialog box that asks you to pay a fee to receive a randomly-generated key that will "unlock" your files. It tells you to pay by bitcoin to receive a private key before a deadline. It claims that if you don't pay by the specified date your private key will be destroyed.

The key that "unlocks" your PC is unique; you will not be able to use anyone else's key.

The dialog box can look like the example below:
 

Creates a shortcut

The malware takes a snapshot of the dialog box shown above and saves it to the desktop as wall.bmp.

If you click on this shortcut, it opens the pop-up window shown above.

Analysis by Carmen Liang