Recently during some research on encrypting ransomware we came across a new variant that brings some new features to the table. It will encrypt by utilizing the following javascript from being opened as an attachment from email (posing as some document file).

Malicious script from email


Once full encrypted you’ll get a popup text document informing you that all your files have been encrypted and how to pay money to get your key to decrypt. This specific sample is Russian, and the instructions were also in Russian so I didn’t show it here. The really interesting thing about this variant that I wanted to share is that once it finishes it actually shows you a twitter feed that populates a tweet every time someone pays the ransom. I suspect this does increase the chance that people will pay the ransom.


Blurred out emails of the victims who paid


Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the look out for more, but just in case of new zero day variants – remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage.  Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies.

Tyler Moffitt

About the Author

Tyler Moffitt

Sr. Security Analyst

Tyler Moffitt is a Sr. Security Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

Share This