The development of malware designed to block access to the operating system is in full expansion. Despite being at present a very different generation of ransomware the first generations where, using cryptovirology, literally kidnapped by encrypting user files and requesting a financial compensation in exchange for the release key, the concept and goal has not changed.
In this case, it’s a new variant of SMS ransomware blocking access to the operating system screen showing an alleged safety report in which reference is an infection caused by a variant of trojan recruits zombie botnets for ZeuS is actually false.
The brief report is in Russian language with which it follows that the objectives of malware are the users of that country. However, the spread of the threat has no boundaries and no language limitations.
According to the text, to get a key to unlocking it's necessary to send a message such as SMS to 4161 with the message 2AV112239. This set of alphanumeric characters isn’t the only one who can show, as it has a list that is displayed at random. The list consists of the following springs:
2AV166522, 2AV288764, 2AV222419, 2AV288888, 2AV266555, 2AV119999, 2AV121436, 2AV178477, 2AV166522, 2AV111199, 2AV187211, 2AV133211, 2AV111223, 2AV243562, 2AV211246, 2AV244533, 2AV277631, 2AV233884, 2AV242665, 2AV233211, 2AV288599, 2AV299884, 2AV286442, 2AV248864, 2AV222464, 2AV288434, 2AV265543, 2AV211278, 2AV299977, 2AV165431, 2AV131313, 2AV132218, 2AV155543, 2AV166666, 2AV186443, 2AV155422, 2AV198775, 2AV144366, 2AV199797, 2AV197797, 2AV177979, 2AV166321, 2AV111229, 2AV155322, 2AV187532, 2AV112239, 2AV164554, 2AV134274, 2AV153221, 2AV311111, 2AV311112, 2AV311113, 2AV311114, 2AV311115, 2AV311116, 2AV311117, 2AV311118, 2AV311119, 2AV311120, 2AV311121, 2AV311123, 2AV311124, 2AV311125, 2AV311126, 2AV311127, 2AV311128, 2AV311129, 2AV311130, 2AV311131, 2AV311132, 2AV311133, 2AV311134, 2AV311135, 2AV311136, 2AV311137, 2AV311138, 2AV311139, 2AV311140, 2AV311141, 2AV311142, 2AV311143, 2AV311144, 2AV311145, 2AV311146, 2AV311147, 2AV311148, 2AV311149, 2AV311150, 2AV311151, 2AV311152, 2AV311153, 2AV311154, 2AV311155, 2AV311156, 2AV311157, 2AV311158, 2AV311159, 2AV311160, 2AV311161, 2AV311162, 2AV311163, 2AV311164, 2AV311165, 2AV311166, 2AV311167, 2AV311168, 2AV311169, 2AV311170, 2AV311171, 2AV311172, 2AV311173, 2AV311174, 2AV311175, 2AV311176, 2AV311177, 2AV311178, 2AV311179
The malware disables the possibility to access the system in Safe Mode and access the following programs:
- TASKMGR.EXE
- REGEDT32.EXE
- MSCONFIG.EXE
- EXPLORER.EXE
- TEXPL.EXE
- ANVIR.EXE
Countermeasure
Unlock using the following key:
Click the first button and press the
Enter key.
Restart the system.
Delete the registry key from ctfmon.exe.
Run an updated antivirus.
Related information
New variant of ransomware through porn sites IV
New variant of ransomware through porn sites III
New variant of ransomware through porn sites II
New variant of ransomware through porn sites
Another very active SMS Ransomware
SMS Ransomware for Windows In-the-Wild
Ver más