Fake Windows Activator emerging as new Ransomware
Windows Activator as Ransomware has been blocked by 360 Security
Windows Activator has been a famous tool for hackers to spread Trojan infections. However, 360 Security Center found another kind of ransomware, which was spread in the form of Windows Activator. The number of the victims is still increasing. Through our exact survey, we discovered this ransomware has a masked setup config., which can see and edit the key and incite data utilized for encryption, and furthermore secure key decrypting through this interface.
These trojans are injected with windows activator file and are being transmitted through the foreign network links.
The malware could control attackers on the penetrated machine. By pressing F8 an admin tool pop-up displaying: The encrypting key records; the ransom message; the blackmail document’s name; the casualty’s close to home ID and the suffix of encoded documents.
Usually, attackers make use of the Microsoft Crypto library to encrypt data. But, we found that this ransomware utilizes the open source library, CryptoPP, and it just encrypts the initial 0x500000 bytes (around 5M) of the document with the AES algorithm . For records more than 5MB, the document divide after 0x500000 bytes won’t be encrypted. This may allow users to save their documents.
It is a typical procedure for attackers to spread malware by masking it as an ordinary application. Windows Activator has been utilized in the past spread infections, for example, Trojan, Ransomware, and Cryptominer. The threat was first propelled on 7 August and has spread rapidly.
360 Security prompted clients to dependably use antivirus application to check downloaded documents, particularly from anonymous sites, and to back up their records consistently. They also use the advanced feature as ‘360 Document Protector’ to protect their important files.