Ryzerlo ransomware poses as Pokemon game

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Ryzerlo which encrypts the victim's files and leaves an email address to be contacted to unlock victim's files.
Infection cycle:
The Trojan comes across as Pokemon Go game with the icon
Once the victim installs the executable, the trojan adds the some changes to the registry.
The Trojan adds two autostart objects to enable startup after reboot:
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\[numbers].exe (copy of original)
It tries to connect to the C&C server and then the trojan encrypts all the victims documents with extensions * .txt, * .rtf, * .doc, * .pdf, * .mht, * .docx, * .xls, * .xlsx, * .ppt, * .pptx, * .odt, * .jpg, *. png, * .csv, * .sql, * .mdb, * .sln, * .php, * .asp, * .aspx, * .html, * .xml, * .psd, * .htm, * .gif, * .png with .locked extension. 
The trojan creates the following two files on the victim's desktop. One include random text and another one include email address to contact.
We urge our users to always be vigilant and cautious with any unsolicited attachments specially if you are not certain of the source. If you are responsible for your system and network security, it's time to patch your security devices.

Source : Dell SonicWall Center

Have a nice day.
(Be knowledgeable, pass it on then)


Post a Comment