Home Malware Programs Ransomware AutoEncryptor Ransomware

AutoEncryptor Ransomware

Posted: April 17, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 14
First Seen: April 17, 2017
Last Seen: August 17, 2022
OS(es) Affected: Windows

The AutoEncryptor Ransomware is a Trojan that uses encryption to lock your files from opening and sells the key to unlocking them for Bitcoins. For most users, backups can offer a high degree of safety from the attacks occurring after infection by a file-encoding threat like this Trojan. In other cases, you should strive to use good anti-malware protection that blocks and removes the AutoEncryptor Ransomware during any of its installation exploits, such as compromised e-mail attachments.

New Trojans with Familiar-Looking Ransoms

Ransom-based Trojan campaigns may gain some value from being recognizable to the people whose files they're holding hostage individually, but brand recognition often balances against the need for efficient development. One team of threat actors is taking the fast and easy approach to ransoming files by using a preexisting template that malware experts see accompanying the WinSec Ransomware attacks. The new Trojan, the AutoEncryptor Ransomware, drops translated versions of the WinSec Ransomware's messages to make them more suitable against English-speaking targets.

Like that past Trojan and other Trojans built from the open-source basis of Hidden Tear, the AutoEncryptor Ransomware uses an AES algorithm as a primary encryption method for locking all the files on your computer. The AutoEncryptor Ransomware also uses a second, RSA algorithm to protect this process from any third-party decryption efforts and uploads the decryption key to a Command & Control server. Other side effects of the AutoEncryptor Ransomware infections that malware experts are corroborating include:

  • The AutoEncryptor Ransomware adds its personal extension to every locked file The AutoEncryptor Ransomware inserts the '.enc' extension after any original one instead of replacing it (for example, 'document.doc.enc') and doesn't overwrite the rest of the filename.
  • The most visible symptom of the AutoEncryptor Ransomware is its advanced HTML pop-up that delivers its extortion demands for the decryption key. Currently, the authors are using a built-in, multiple-step interface to ask for 10000 in Bitcoins, which most likely is a placeholder amount. The note's use of English is significant since past variants used more regionally specific languages, such as Portuguese.
  • Victims also should expect the AutoEncryptor Ransomware to delete any local backups automatically, such as the Windows Shadow Copies.

Decoding the Cheap Solution to Auto-Extorting Threats

In the unlikely event that they're legitimate, the AutoEncryptor Ransomware's current ransoming demands would make it, by far, the most expensive and presumptive file-encrypting threat on the threat marketplace. Possible victims could expect infections from such well-used exploits as e-mail attachments with Trojan downloaders embedded into document macros, website-hosted variants of the RIG Exploit Kit, or even brute-force attacks that compromise your local network's passwords directly. Disabling macros, using security tools to scan unusual downloads, turning browser scripts off by default and using strong-rated passwords can reduce or eliminate these security risks.

Since malware experts are rating the AutoEncryptor Ransomware as a probable derivative of the Hidden Tear family, victims should refrain from relying on their local backups to recover any encoded media. Free decryption software sometimes can reverse the file damages that these attacks cause, but many infections aren't fully recoverable without you restoring it from a non-local backup. Quarantining or deleting the AutoEncryptor Ransomware with anti-malware tools, while necessary for your PC's security, will not unlock any documents or other files that the Trojan is encrypting.

The AutoEncryptor Ransomware may be just the start to a cross-regional branching of the attacks that malware experts saw with the WinSec Ransomware. If that's the case, PC users in any country should be backing up their drives periodically to avoid needing to consider its enormous ransoms.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



dir\name.exe File name: name.exe
Size: 126.87 KB (126872 bytes)
MD5: 05950b038b5781d940c939a3af3ecd32
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: August 17, 2022
Loading...