CoNFicker Ransomware
Posted: April 18, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 101,219 |
First Seen: | April 18, 2017 |
---|---|
Last Seen: | May 21, 2020 |
OS(es) Affected: | Windows |
The CoNFicker Ransomware is a threat whose name appears to be inspired by the Conficker worm, a threat that brought havoc to companies worldwide during 2008 and 2009 when it managed to cause damages worthing billions of dollars. Thankfully, the CoNFicker Ransomware is not associated with the original threat, and it is likely that the author has opted to plagiarize this name since it might mislead some users into thinking that they are messing with a more serious cyber threat. While it is good that the CoNFicker Ransomware is not linked to the worm, it is important to remind readers that crypto-threats should not be underestimated, and the CoNFicker Ransomware is, in fact, capable of causing a lot of damage if it infects a computer successfully.
The samples of the CoNFicker Ransomware that security researchers spotted online were found under names such as 'WinRar 2017.exe' or 'WinRar.exe,' which may mean that the author is spreading the CoNFicker Ransomware as a fake WinRar installer or updater. If users download and run the corrupted binary, they might unleash the CoNFicker Ransomware on their computers unknowingly, and this will enable the ransomware to encrypt their data and then offer to provide them with decryption instructions in exchange for money.
Not as Popular as Conficker, but Still Thretening
The files that the CoNFicker Ransomware locks are easy to spot since the threat is scripted to append the '.conficker' extension to all files it locks. To provide victims with instructions on what they need to do to get their data back, the CoNFicker Ransomware will change the desktop background to an image containing a shortened ransom note. Also, it will create a more detailed ransom note with the name 'Decrypt.txt,' and place it on the desktop.
'C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
#####
Attention! Attention! Attention! Your Files has been encrypted By C_o_N_F_i_c_k_e_r R_A_N_S_O_M_W_A_R_E
#####
Send 0.5 Bitcoin To @ 1sUCn6JYa7B96t4nZz1tX5muU2W5YxCmS @
#####
If Send 0.5 Bitcoin We will send you the decryption key C_o_N_F_i_c_k_e_r Decryptor'
The attacker demands 0.5 BTC (approximately $600) and does not provide any contact information. The lack of contact details is obvious, and it seems impossible for the attackers to provide a decryption key to victims since there's no way to get in touch with them. The ransomware does not appear to assign a unique victim ID, and it also uses a hard-coded Bitcoin wallet, which means that it is impossible to ensure the automatic decryption of the victim's files. These two things almost guarantee that the CoNFicker Ransomware's message is a fraud and users who pay the ransom sum will not end up getting their files back. Even if the contact information were present, it still would not be recommended to pay the ransom fee since there's no guarantee that the attackers will fulfill their part of the deal.
Unfortunately, the free decryption of the files locked by the CoNFicker Ransomware seems unlikely for now, and victims might need to look for an alternative way out of the unpleasant situation. The removal of the CoNFicker Ransomware can be taken care of with the use of a reputable anti-malware utility, but the recovery of the encrypted files might be a tricky task. Some 3rd-party file restoration utilites are likely to achieve partial success, but full recovery is impossible without the decryption key owned by the attackers.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:C:\Windows\system32\ggjpkals.ltf
File name: ggjpkals.ltfSize: 159.89 KB (159894 bytes)
MD5: 08f3ce046ff7efd50fd60bb3c6457a32
Detection count: 101,214
Mime Type: unknown/ltf
Path: C:\Windows\system32
Group: Malware file
Last Updated: May 21, 2020
file.exe
File name: file.exeSize: 162.81 KB (162816 bytes)
MD5: d9d3381b79fb6e35ba995b4a7ab58b4f
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: April 18, 2017
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.