A Brand new ransomware attack widely distributed and infected the users based on their geolocation by checking the infected device IP address.
The ransomware was discovered by Doctor Web security experts and cybercriminals, who warned that the malicious program attacks users of Windows operating systems for profit.
The preventive protection of Dr.Web Antivirus detects this Trojan under the name DPH: Trojan encoder 9 or Trojan.Encoder.25129. This is a Trojan cipher that encodes data on an infected computer.
After launch, it checks the user’s location by the IP address of the infected device. According to the analysis carried out by the researchers, it seems that the malware authors designed this ransomware to avoid encrypting files for specific countries such as Russia, Belarus and Kazakhstan, as well as in the case where the Windows regional parameters were in Russian and the Russian language. However, as a result of an error in its code, the ransomware encrypts files regardless of the geographic location of the IP address and restoration of the files affected by this malware is impossible in the majority of the cases.
The Trojan encodes the contents of the folders of the current user, the Windows desktop, and the service folders AppData and LocalAppData. Encryption is carried out using the algorithms AES-256-CBC, encrypted files are assigned the extension .tron.
Files larger than 30,000,000 bytes (approximately 28.6 MB) are not affected. Once the encryption is complete, the Trojan creates a file% ProgramData% trig in which it writes the value “123” (if such a file already exists, the encryption is not done). Then the malware sends a request to the iplogger site whose address is registered in his body. Then the malware displays a window with a ransom request.
This ransomware mainly distributed through Social media that contains a malicious Payload and also it distributed through network shares.