Doctor Web experts have identified a new Trojan campaign that’s mainly targeting users from France and Spain.
The malware, Trojan.ArchiveLock, spreads via brute-force attacks against the RDP protocol. Once it infects a computer, the threat copies the console version of WinRar into a local folder, empties the Recycle Bin, deletes backups and creates a list of files that will be encrypted.
After this is done, the files are archived into a password-protected file, and the original files are deleted by a special utility.
Once the files are encrypted, the victim is presented with a warning message in which he/she is offered the password for the archive in exchange for $5,000 (3,900 EUR).
Victims of Trojan.ArchiveLock are advised not to pay the ransom. Experts also advise them not to delete any files or reinstall the operating system.
Doctor Web provides a free service to help users recover their files. If your computer has been infected with the malware, submit a ticket here under the “request for curing” category.