Ecovector Ransomware
Posted: June 1, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 91 |
| First Seen: | June 1, 2016 |
|---|---|
| OS(es) Affected: | Windows |
The Ecovector Ransomware is a new file encryption Trojan possibly based on the same foundation of code as old threats, particularly those from the Rakhni family. Like them, the Ecovector Ransomware uses encryption as a means of taking your data hostage, with e-mail messages serving as the way of negotiating a ransom fee. While some individuals have chosen to pay such ransoms, malware experts discourage it and recommend removing the Ecovector Ransomware with an anti-malware tool, followed by restoring the locked content from an uninfected backup.
A Highway to Encrypted Hard Drives
Although the technical details of encrypting data with or without its owner's consent is relatively straightforward, the victim's actions also are a critical element in how these kinds of threat campaigns make money. Con artists may take drastic measures to force their victim's hand, such as deleting files every hour, or use pseudo-subtle methods, as malware experts see through the Ecovector Ransomware. This Trojan delivers subtly misleading information in its ransom notes, encouraging you to pay for help retrieving your content.
The Ecovector Ransomware selects files for attacking based on their formats, such as the popularly-targeted DOC, PPT or XLS. The content then is encrypted through an AES-based algorithm with no warning symptoms and finally given a new extension consisting of a custom ID, an e-mail address and the XTBL tag. Much like any file placed into a compressed archive, encrypted data will fail to open, and requires a corresponding decryption process to be restored to normal.
In this first phase of the Ecovector Ransomware's payload, malware experts find no significant symptoms; however, its final actions include depositing visible files on your PC. These drops consist of both a text-based ransom message and a desktop wallpaper. Besides displaying some stock art of a highway vista, the latter also recommends contacting a 'technical support' entity through its e-mail address for help, using a tactic very similar to that of the Mahasaraswati Ransomware.
A Fast Exit from a Digital Hostage Situation
Although its authors have put a minimal amount of effort into disguising their identities, the Ecovector Ransomware's output does correspond with the traditional payloads of threatening file encryptors. Communicating with its administrators, even for the purpose of saving your data, always is undertaken at your personal risk, and malware experts particularly don't recommend paying any suggested fees for your file restoration. Instead, use the decryptors provided by reputable security organizations free of charge, or keep copies of your content in locations unlikely of being attacked, such as a cloud server.
Following an Ecovector Ransomware attack, you should reboot your computer. Restart the system in Safe Mode as per the specifications for your operating system, and scan your PC with the anti-malware products of your preferred brand. Even though the Ecovector Ransomware has no observable capabilities for handling its installation to new locations, threats responsible for delivering the Ecovector Ransomware still may load new threats. Since decryption is a separate technical procedure from deleting threatening software, other data recovery protocols may be necessary after removing the Ecovector Ransomware.
Many encryption-based Trojans may use e-mail attachments or embedded links for installing themselves. A lesser number of similar campaigns also may use exploit kits or installers bundled in illicit software downloads. In all cases examined by malware experts, such an attack never could succeed without some level of indiscretion on the victim's part, making the user the biggest security flaw of all.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%LOCALAPPDATA%\Payload.exe
File name: Payload.exeSize: 178.17 KB (178176 bytes)
MD5: 761f403838bbfd6d683f166636b2ce66
Detection count: 85
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: August 24, 2016
%WINDIR%\System32\Payload.exe
File name: Payload.exeSize: 170.49 KB (170496 bytes)
MD5: acb91ba1a61ab43a42868fb9cb331c4f
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32
Group: Malware file
Last Updated: August 24, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Payload_c.exe
File name: Payload_c.exeSize: 336.56 KB (336568 bytes)
MD5: 6ce6720da160f69da10a21354251395f
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: August 24, 2016
%WINDIR%\System32\Payload.exe
File name: Payload.exeSize: 177.66 KB (177664 bytes)
MD5: ceadf0c597ef1106b52b55506f873d2d
Detection count: 24
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32
Group: Malware file
Last Updated: August 24, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload_c.exe
File name: Payload_c.exeSize: 344.24 KB (344247 bytes)
MD5: 1feda78b4c195ca7e395038ff43e455e
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 23, 2016
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.