New Russian Rasomware spotted in the wild (May 20, 2016)

The Dell SonicWall Threats Research team has received reports of a new Ransomware Trojan, Svchostix which encrypts the user files and also deletes them if the payment is not made on time.

Infection cycle:

The Trojan has the name as Svhost (misspelled svchost) with the following properties:

The Trojan adds an autostart object to enable startup after reboot:

• %APPDATA%RoamingMicrosoftWindowsStart MenuProgramsStartupwin.exe (copy of original) [Detected as GAV: Svchostix.A (Trojan)

It connects to the C&C server and makes the following request:

The trojan creates the following files on the victim’s desktop:

• YourId.txt
• YourId (in Russian)
• Hacked.txt

The trojan creates the following files at Desktop/Downloads and Documents folder on the victim’s machine and
encrypts all the victims documents listed with .Silent extension.

It displays the following details in the file YourID.txt:

It displays the following ransom message in the file hacked.txt:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: Svchostix.A (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.