Clase: Trojan-Ransom
Este tipo de troyano modifica los datos en la computadora de la víctima para que la víctima ya no pueda usar los datos, o evita que la computadora se ejecute correctamente. Una vez que los datos han sido "tomados como rehenes" (bloqueados o encriptados), el usuario recibirá una demanda de rescate. La demanda de rescate le dice a la víctima que envíe dinero al usuario malintencionado; al recibir esto, el ciberdelincuente enviará un programa a la víctima para restaurar los datos o restaurar el rendimiento de la computadora.Más información
Plataforma: Win32
Win32 es una API en sistemas operativos basados en Windows NT (Windows XP, Windows 7, etc.) que admite la ejecución de aplicaciones de 32 bits. Una de las plataformas de programación más extendidas en el mundo.Familia: Trojan-Ransom.Win32.Gen
No family descriptionExamples
ED93CA8561273A62B504B8CAC9FB91635C17C64513986E8A6BE1E8EDD39ED2BF
B0B750C5CE0C62E0A115AB425DD223EC
7F7CC74DFBCB05D00A18D1DA180EB731
A81DDFAA0E888E431B81CADCC10964D1
Tactics and Techniques: Mitre*
TA0005
Defense Evasion
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1036.003
Rename Legitimate Utilities
Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename
rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths. T1036.005
Match Legitimate Resource Name or Location
Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.
T1564.001
Hidden Files and Directories
Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (
dir /a for Windows and ls –a for Linux and macOS). TA0007
Discovery
The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what's around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.
T1120
Peripheral Device Discovery
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.