Jump to content
Login new information ×
Login new information

The Ded Cryptor Ransomware thinks you have been Naughty this Year

Petrovic

By Petrovic
in Security & Privacy News

Recommended Posts

Petrovic

Petrovic

Posted
Posted

A new EDA2 ransomware was discovered by Michael Gillespie called Ded Cryptor. This ransomware has been around for quite a while and targets both Russian and English speaking victims. When installed, the victims desktop will be changed to show an evil looking Santa having a good time while it encrypts your files.

 

HDLAP55[1].jpg

 

Ded Cryptor Ransom Note


Ded Cryptor will change the wallpaper of the Windows desktop to an image that contains the ransom amount and the email address, [email protected], which the victim is told to email for payment instructions.

 

Though EDA2 ransomware have been commonly seen in the past, this particular variant removed the method that we could use to retrieve the keys. Furthermore, it also contains an unused namespace called DarthEncrypt, which appears to be the malware developer's attempt to create a new encryption method for the EDA2 ransomware.

 

How Ded Cryptor Encrypts your Files
At this point, it is currently unknown how Ded Cryptor is distributed. Once installed, it will generate an AES password and then only encrypt the victim's %UserProfile% folder.  When it encrypts a file it will append the .ded extension to it. This means that a file called test.jpg, will be renamed to test.jpg.ded when encrypted.  The files types targeted by this ransomware are: 

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .dll, .lnk, .pdf

When encryption is finished it will encrypt the AES key with an RSA retrieved from the malware developer's Command & Control server. This encrypted key will then be sent back up to the Command & Control server.  Finally, Ded Cryptor will change the desktop background to show the image above.

 

Files associated with Ded Cryptor 

%UserProfile%\ded.png

Article source

Link to comment
Share on other sites
  • Replies 3
  • Views 850
  • Created
  • Last Reply
knowledge-Spammer

knowledge-Spammer

Posted
Posted

targets both Russian and English

russian people will not like that

Link to comment
Share on other sites
Olexijl

Olexijl

Posted
Posted

Well, even if I'm safe I still don't like that. Bitcoin is definitely not for paying THIS here. Bitcoin is for OpenBazaar or something like this.... I hate if Bitcoin is misused this way.

 

2 BTC, this is over 1200 EUR. I cant imagine anything like this.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...