|Short Description||Usually this Trojan enters via Russian e-mails, clicking it encrypts all the files in the system.|
|Symptoms||Files become inaccessible and when tried to open they demand ransom|
|Distribution Method||Spam Email, Fake downloads.|
The Trojan enters the systems and starts its execution at the following location,
%ProgramFiles%\Startup\[THREAT FILE NAME].exe
HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks\Armadillo\CLSID
This is done in order to run the ransomware even when the device is restarted. Then the ransomware starts to scan the entire Pc of the victim , it does not encrypt all the files but it targets some specific files and encrypts them.
The Trojan encrypts the following,
.1cd, .7z, .accdb, .arj, .cer, .csv, .db3, .dbf, .doc, .docx, .dt, .dwg, .gsf, .jpeg, .jpg, .key, .kwm, .mdb, .mov, .mpeg, .odt, .pdf, .ppsx, .ppt, .pptx, .psd, .rar, .rtf, .xls, .xlsm, .xlsx, .zip
Once the encryption is done successfully then it changes the extension of the file. When the victim tries to open the encrypted file it demands the ransom. A readme.txt file is placed on the location of encrypted file, In which the description for retrieving back the encrypted files are given.