Content

Ransom-N

Type
Trojan
SubType
Trojan
Discovery Date
11/03/2009
Length
Varies
Minimum DAT
5792 (11/04/2009)
Updated DAT
5793 (11/05/2009)
Minimum Engine
5.3.00
Description Added
11/03/2009
Description Modified
11/03/2009 2:13 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

Ransom-N is a Trojan that on execution encrypts all the recently used files on the user's system. The encrypted files are renamed with a ".vicrypt" extension.

Further the user is shown error messages like this:

The Trojan runs in the background and keeps encrypting files as they are used.

Symptoms

Presence of files with the ".vicrypt" extension on the user's system.

Method of Infection

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update November 3, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/11/03/ransomware_ruse/

--

Ransom-N is a Trojan that on execution encrypts all the recently used files on the user's system.The user has to pay for the attackers' software to decrypt and recover their files.

Aliases

  • Trojan.Ramvicrype (Symantec)

Characteristics

Characteristics -

Ransom-N is a Trojan that on execution encrypts all the recently used files on the user's system. The encrypted files are renamed with a ".vicrypt" extension.

Further the user is shown error messages like this:

The Trojan runs in the background and keeps encrypting files as they are used.

Symptoms

Symptoms -

Presence of files with the ".vicrypt" extension on the user's system.

Method of Infection

Method of Infection -

Trojans are not viruses, and as such do not contain any method to replicate by themselves. However they may be downloaded by other viruses and/or Trojans to be installed on the user's system. Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the malwares).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A