|This is a two-stage malware dropper, this mainly invades the victim system through the exploit kits and spam mails. This ransomware works according to the geometric location of the victim.|
|Symptoms||The victim will no longer have the access for his/her device.|
|Distribution Method||Through fake downloads, spam emails.|
Once this infiltrates a system , it attempts to lock the screen or else it tries to download an additional malware. If the user is in Europe or North America then it will download a special lockscreen and the ransom will be displayed, if the user is not in a country where no customized lock screen is available it will change its path by downloading another malware.
Once this ransomware is installed it will block all the access to the victim’s computer and then it will display a full screen demanding ransom to be paid to get the access back to the infected device.
This will threaten the victim with lot of fake information, the information will be tailored according to the geographical location.
It is also said that this ransomware has recompiled its source from the part of Gozi ISFB source code.
When this gets inside the victim device it installs itself to the %temp% file and then it creates a copy of itself into %appdata% using many random names, it changes itself so that it can run each time when the victim starts the PC.
This injects malicious code into the other process using the remote threat and write process memory option.
This performs many remote connection activities to access may site in the background.
Finally it locks the victim’s device and leaves the victim with very few option for accessing the device. This is said to be one of the complicated ransomware that has emerged in recent era.