BEIJING, Aug. 24, 2018 – Recently, 360 Security Center found a new kind of ransomware, which was spreading through fake Windows Activator. The ransomware first appeared on August 7thand has been widely spreading since then. Although the Trojan itself has been intercepted by 360 Total Security, the number of victims is still growing.
Windows Activator is a popular tool for some users to activate pirated Windows. It is commonly used by attackers to spread malware, such as Trojan, Ransomware, and Cryptominer. After analysis, 360 discovered that this ransomware mimics itself as a popular Windows Activator to lure users into downloading it. We also found that the malware contains an administration tool which is used to control the attacks on victim’s machine. The tool can be launched via pressing F8. The following configurations are supported: the key used to encrypt files, the name of extortion file, ransom message, ID used to identify the victim, the suffix of encrypted files.
It is common to see attackers use the Microsoft Crypto library to encrypt data. However, we found that this ransomware uses the open source library, CryptoPP, and it only encrypts the first 0x500000 bytes (about 5M) of the file with the AES algorithm. For files over 5MB, the file part after 0x500000 bytes will not be encrypted. This might leave the door open for victims to rescue their files.
Malware disguises itself as normal software, such as cracking tools and game plug-ins, is a common technique to spread malware. To avoid this kind of attack, 360 recommend users to:
- Always scan files downloaded from unknown websites with antivirus software.
- Protect important documents with “360 Document Protector”.
- Back up important files regularly.