A new kind of ransomware has been spread by a fake Windows Activator. Although it has now been found and intercepted by 360 Security Center, many are still falling victim to it.
After analysis, 360 Security found that the ransomware mimicked Windows Activator, a popular software used to launch pirated Windows, to fool people into downloading it. The malware was able to control attacks on the infiltrated machine. By pressing F8 an administration tool was activated showing: The key encrypting files; the ransom message; the extortion file's name; the victim's personal ID and the suffix of encrypted files.
Visit Innovation Enterprise's DATAx Shanghai on September 5–6, 2018
Fortunately, it has been found that the virus uses CryptoPP, the open source library, to encrypt data rather than the Microsoft Crypto library. This only encrypts the first 0x500000 bytes of a file, meaning that files over 5MB have hope of being retrieved and decrypted.
It is a common technique for attackers to spread malware by disguising it as normal software. Windows Activator has been used in the past to pass on viruses such as Trojan, Ransomware and Cryptominer. The attack was first launched on 7 August and has spread quickly since.
360 Security advised users to always use antivirus software to scan downloaded files downloaded, especially from unknown websites, and to back up their files regularly. They also promoted using '360 Document Protector' to keep important documents safe.