Class Trojan-Ransom
Platform Win32

Malware of this family is distributed in various ways, such as spam, exploit kits, vulnerable server software, and weak RDP credentials. Once launched, it will iterate through all drives, excluding some system directories and the directory that holds user’s temporary files. After that, it encrypts almost all user files by using a custom symmetric crypto algorithm. During the encryption process, special markers such as {ENCRYPTSTART} and {ENCRYPTENDED} are added to the encrypted files. The malware also creates the file how_to_decrypt.hta in each directory with encrypted files.

Top 10 countries with most attacked users (% of total attacks)

  Country Percentage of users*
1 Russian Federation 41.43
2 Indonesia 11.32
3 Japan 4.01
4 Vietnam 3.64
5 Mexico 3.44
6 Italy 3.34
7 Egypt 2.23
8 China 2.06
9 Germany 1.95
10 Algeria 1.29

* Percentage of all unique Kaspersky users worldwide who have been attacked by this malware