Ophionlocker ransomware spreads via online advertising campaigns that fool users into clicking on an area of a website that then takes over their computer.

This ransomware is currently being distributed via hacked websites utilizing exploit kits. If a user visits one of these sites with a computer that has an outdated software, the exploit kit will exploit vulnerabilities and install the ransomware.

When you are infected with this malware it will generate a unique hardware id based on the serial number of the first hard drive, the motherboard's serial number, and other information. It will then contact the malware's TOR site and check if this particular hardware ID has been encrypted already. Using the open source Crypto++ library, Ophionlocker will then proceed to encrypt your data with Elliptical Curve Cryptography any. The data files it will encrypt have the following extensions:

3fr,accdb,arw,bay,cdr,cer,cr2,crt,crw,dbf,dcr,der,dng,doc,docm,docx,dwg,dxf,dxg,eps,erf,indd,
jpe,jpg,kdc,mdb,mdf,mef,mp3,mp4,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,
pef,pem,pfx,ppt,pptm,pptx,psd,pst,ptx,r3d,raf,raw,rtf,rwl,srf,srw,txt,wb2,wpd,wps,xlk,xls,xlsb,
xlsm,xlsx

When searching for the data files to encrypt it will perform a case-sensitive match of the extension. That means a file called test.JPG would not be encrypted, while a file called test.jpg would be. When it is done it will display the above alert and also generate numerous encrypted.txt files on your desktop and in your My Documents folder. These encrypted.txt files will contain instructions on how to access the TOR payment site to pay your ransom and receive the decryptor.