Threat Research

Ransom - Pay me more!

Continuing the legacy of GPcode and FileFixer , a new file encoder trojan (5f9927ee59b4881a2ce8634332f63fa8) is on the loose. Upon execution, this malware looks for user's data files (ending with .jpg, .zip, .doc , and .text etc) on the system drives and encrypts them.

For example a user's file having name 'mic.jpg' will be replaced by 'mic.jpg.vscrypt'. After finishing encrypting user data files this malware will change desktop image with its own version and simply quit after restarting the user's machine. It doesn't attempt to install itself on the user's system permanently.

Here is a sample encrypted Download Sunset.jpg file. The message which is left behind for victim on desktop looks like this:



I was not able to understand this message (is there any reader who could translate it for us?) but there are some lines that give some clue to non-native speakers , like the smiley on line 2 ::). The email address along with the ICQ number, based on my best guess, will  be used for collecting the ransom. On the last line 'Trojan encoder' is mentioned, which seems to be the malware name given by the ransomware author himself.

Fortunately Dr.Web has developed a tool which could be used to restore back the user's file. One may find it here:

Thanks to one of our blog reader 'Damir'  who was able to search this tool on the web and shared it with us.


Update: Thanks to one of our blog reader who spent some time to translate this russian text for us. Here is the translation:

Hello I'm a Trojan Encoder, or to be more exact, one of its variants::)

My author goes by the handle CORRECTOR and he's happy to offer you decryption for those files that I had time to encrypt on your computer for the economical sum of $10 or about 350 Rubles here is how to contact my author:

Mail: icq 481095

oh by the way almost forgot don't erase the files with the extension vscrypt if you delete them getting your information back will be impossible

Good luck sincerely your Trojan encoder and CORRECTOR.


That email address itself translates to "reflection of evil"

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM