EVERBE RANSOMWARE actively spreading in the wild.
The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of EVERBE [Everbe.RSM] actively spreading in the wild.
EVERBE encrypts the victim's files with a strong encryption algorithm until the victim pays a fee to get them back.
Contents of the EVERBE ransomware
Infection Cycle:
The Ransomware adds the following files to the system:
- Malware.exe
- %App.path%\ !=How_recovery_files=!.txt
- Instruction for recovery
- %App.path%\ !=How_recovery_files=!.txt
Once the computer is compromised, the Ransomware copies its own executable into %Userprofile% folder and runs the following commands:
The Ransomware encrypts all the files and appends the . Everbe extension onto each encrypted file's filename.
After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.
Sonicwall Capture Labs provides protection against this threat via the following signature:
- GAV: Everbe.RSM (Trojan)
