New Russian Rasomware spotted in the wild

May 20, 2016

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Svchostix which encrypts the user files and also deletes them if the payment is not made on time.

Infection cycle:

The Trojan has the name as Svhost (misspelled svchost) with the following properties:

The Trojan adds an autostart object to enable startup after reboot:

%APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartupwin.exe (copy of original) [Detected as GAV: Svchostix.A (Trojan)

It connects to the C&C server and makes the following request:

The trojan creates the following files on the victim's desktop:

YourId.txt
YourId (in Russian)
Hacked.txt

The trojan creates the following files at Desktop/Downloads and Documents folder on the victim's machine and
encrypts all the victims documents listed with .Silent extension.

It displays the following details in the file YourID.txt:

It displays the following ransom message in the file hacked.txt:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Svchostix.A (Trojan)