New Russian Rasomware spotted in the wild
The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Svchostix which encrypts the user files and also deletes them if the payment is not made on time.
The Trojan has the name as Svhost (misspelled svchost) with the following properties:
The Trojan adds an autostart object to enable startup after reboot:
- %APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartupwin.exe (copy of original) [Detected as GAV: Svchostix.A (Trojan)
It connects to the C&C server and makes the following request:
The trojan creates the following files on the victim's desktop:
- YourId (in Russian)
The trojan creates the following files at Desktop/Downloads and Documents folder on the victim's machine and
encrypts all the victims documents listed with .Silent extension.
It displays the following details in the file YourID.txt:
It displays the following ransom message in the file hacked.txt:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: Svchostix.A (Trojan)