This Type of Ransom Trojan is dropped by other malware or downloaded from the Internet.
It infects the MBR (Master Boot Record) of the running system. Is the Trojan executed, it overwrites the MBR on the hard drive and before the original MBR will be stored in a second section.
It displays a certain message and informs the user that the system is locked and he has to pay money to unlock it again. During this session, the whole boot procedure is interrupted.
The Trojan comes by other dropped malware or if anybody visits a malicious website by download.
- It makes a copy of itself in the following folder:
- Also, it drops a clean file in this folder:
During our investigation, we found out that the "Unlock Code" was hard-coded into the infected MBR. The code is static and not random generated. So if you are infected, please use the following key for unlocking: 21545455
We detect the Trojan as TR/Crypt.XPACK.Gen and the infected MBR as BOO/Ransom.A