Evolution Ransomware actively spreading in the wild.
The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of Evolution Ransomware [Evolution.RSM] actively spreading in the wild.
Evolution encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.
Contents of the Evolution ransomware
The Ransomware adds the following files to the system:
- %App.path%\ (_H0W_TO_REC0VER_[Random].html
- %App.path%\ (_H0W_TO_REC0VER_[Random].txt
- %App.path%\ (_H0W_TO_REC0VER_[Random].lnk
- %App.path%\ [File Name]. Random
- %Userprofile\Desktop %\ (_H0W_TO_REC0VER_[Random].html
- Instruction for recovery
Once the computer is compromised, the Ransomware runs the following commands:
The Ransomware encrypts all the files and appends random extension such as [.hAOrGb] onto each encrypted file’s filename.
After encrypting all personal documents the Ransomware shows the following webpage containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Evolution.RSM (Trojan)