New Ransomware using DiskCryptor With Custom Ransom Message

Another ransomware has been found that introduces DiskCryptor on the tainted PC and reboots your PC. On reboot, unfortunate casualties will be welcomed with a custom payoff take note of that clarifies that their circle has been encoded and how to pay the payment.

DiskCryptor is an encryption program that encodes the entire plate and after that prompts the client to enter a secret key on reboot. This secret key incite happens before Windows even begins and a client must enter the secret phrase to unscramble the drive and begin the PC’s ordinary boot process.

Found by MalwareHunterTeam, this ransomware is being run physically or called by another content as it requires a contention to be passed to the program, which is utilized as the secret phrase for DiskCryptor. It is likewise conceivable that the assailants are hacking into Remote Desktop Services and introducing the ransomware physically.

Amid the establishment procedure, a log document will be made at C:UsersPublicmyLog.txt that demonstrates the current phase of the encryption procedure.

Log Files

Log File

When the whole drive has been encoded, it will reboot the PC and the unfortunate casualty will be demonstrated a payment note to contact [email protected] for installment directions. It will then stay there sitting tight for the client to enter the unscrambling secret key.

DiskCryptor Password Prompt

DiskCryptor Password Prompt

BleepingComputer has reached the email recorded by the payment note, however had not heard back at the season of this production.

DiskCryptor has been utilized by ransomware before

This isn’t the first occasion when we have seen DiskCryptor utilized with ransomware.

In 2016, we saw the primary utilization of DiskCryptor in a payment contamination called HDDCryptor, which has likewise been called Mamba. These ransomware diseases additionally utilized custom payoff notes in the wake of scrambling the PC, however it doesn’t give the idea that the ebb and flow ransomware variation is partnered with these more seasoned families.

The most pitched casualty of a DiskCryptor contamination was in November 2016 when 2,112 PCs having a place with the San Francisco Municipal Railway framework were tainted with the Mamba ransomware. This viably close down their installment frameworks and made the railroad enable travelers to utilize the trains for nothing over an end of the week.

MUNI Infection

The most effective method to shield yourself from this Ransomware

With the end goal to shield yourself from this ransomware, or from any variation, it is imperative that you utilize great processing propensities and security programming. As a matter of first importance, you ought to dependably have a solid and tried reinforcement of your information that can be reestablished on account of a crisis, for example, a ransomware assault.

As this ransomware might be introduced by means of hacked Remote Desktop administrations, it is critical to ensure RDP is secured effectively. This incorporates ensuring that no PCs running remote work area administrations are associated straightforwardly to the Internet. Rather put PCs running remote work area behind VPNs with the goal that they are just open to the individuals who have VPN accounts on your system.

It is additionally vital to setup legitimate record lockout approaches with the goal that it makes it troublesome for records to be animal constrained over Remote Desktop Services.

For more definite data, it would be ideal if you see our guide on securing Remote Desktop Services.

You ought to likewise have security programming that fuses conduct location to battle ransomware and not simply signature discoveries or heuristics. For instance, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain conduct location that can counteract many, if not most, ransomware contaminations from encoding a PC.

Last, yet not minimum, ensure you hone the accompanying great online security propensities, which as a rule are the most imperative strides of all:

Reinforcement, Backup, Backup!

Try not to open connections on the off chance that you don’t know who sent them.

Try not to open connections until the point that you affirm that the individual really sent you them,

Output connections with apparatuses like VirusTotal.

Ensure all Windows refreshes are introduced when they turn out! Likewise ensure you refresh all projects, particularly Java, Flash, and Adobe Reader. More seasoned projects contain security vulnerabilities that are generally misused by malware merchants. Along these lines it is critical to keep them refreshed.

Ensure you utilize have a type of security programming introduced.

Utilize hard passwords and never reuse a similar secret word at numerous locales.

In the event that you are utilizing Remote Desktop Services, don’t interface it straightforwardly to the Internet. Rather make it accessibly just by means of a VPN.

For an entire guide on ransomware security, you visit our How to Protect and Harden a Computer against Ransomware article.

IOCs

Hash:

SHA256: f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a

Related Files:

C:UsersPublicdcapi.dll

C:UsersPublicdccon.exe

C:UsersPublicdcinst.exe

C:UsersPublicdcrypt.sys

C:UsersPublicmyConf.txt

C:UsersPublicmyLog.txt

Related Registry Entries:

HKLMSYSTEMCurrentControlSetservicesdcrypt

HKLMSYSTEMCurrentControlSetservicesdcryptType 1

HKLMSYSTEMCurrentControlSetservicesdcryptStart 0

HKLMSYSTEMCurrentControlSetservicesdcryptErrorControl 3

HKLMSYSTEMCurrentControlSetservicesdcryptImagePath system32driversdcrypt.sys

HKLMSYSTEMCurrentControlSetservicesdcryptDisplayName DiskCryptor driver

HKLMSYSTEMCurrentControlSetservicesdcryptGroup Filter

HKLMSYSTEMCurrentControlSetservicesdcryptDependOnService FltMgr

HKLMSYSTEMCurrentControlSetservicesdcryptconfig

HKLMSYSTEMCurrentControlSetservicesdcryptconfigFlags 1408

HKLMSYSTEMCurrentControlSetservicesdcryptconfigHotkeys BINARY SIZE=16 MD5=4AE71336E44BF9BF79D2752E234818A5

HKLMSYSTEMCurrentControlSetservicesdcryptconfigsysBuild 846

HKLMSYSTEMCurrentControlSetservicesdcryptInstances

HKLMSYSTEMCurrentControlSetservicesdcryptInstancesDefaultInstance dcrypt

HKLMSYSTEMCurrentControlSetservicesdcryptInstancesdcrypt

HKLMSYSTEMCurrentControlSetservicesdcryptInstancesdcryptAltitude 87150

HKLMSYSTEMCurrentControlSetservicesdcryptInstancesdcryptFlags 0

DiskCryptor Ransom Note:

You have been Hacked, ALL Data Encrypted,Contact For Key

Our Email : [email protected]

YourID: [executable name]

Your Hostname: [computer name]

Enter Key :