Types header


Name Casinomtgot
Type Crypto Ransomware
Short Description Usually this Trojan enters via Russian e-mails, clicking it encrypts all the files in the system.
Symptoms Files become inaccessible and when tried to open they demand ransom
Distribution Method Spam Email, Fake downloads.
Image  Casinomtgot
More Details

The Trojan enters the systems and starts its execution at the following location,

%ProgramFiles%\Startup\[THREAT FILE NAME].exe

  1. After clicking the link, the Trojan prompts a download file,

%UserProfile%\Application Data\pic.bmp

  1. The following Registry sub keys are created by the trojan,


HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks\Armadillo\CLSID

This is done in order to run the ransomware even when the device is restarted. Then the ransomware starts to scan the entire Pc of the victim , it does not encrypt all the files but it targets some specific files and encrypts them.

The Trojan encrypts the following,

   .1cd, .7z, .accdb, .arj, .cer, .csv, .db3, .dbf,   .doc, .docx, .dt,   .dwg,   .gsf,   .jpeg, .jpg,     .key, .kwm, .mdb, .mov,   .mpeg, .odt, .pdf, .ppsx,     .ppt,   .pptx, .psd, .rar, .rtf, .xls, .xlsm, .xlsx,   .zip

Once the encryption is done successfully then it changes the extension of the file. When the victim tries to open the encrypted file it demands the ransom. A readme.txt file is placed on the location of encrypted file, In which the description for retrieving back the encrypted files are given.