ArchiveLock Trojan Uses WinRar to Encrypt the Files of Users from Spain and France

Victims are told to pay $5,000 (3,900 EUR) if they want their files back

By on March 14th, 2013 14:52 GMT

Doctor Web experts have identified a new Trojan campaign that’s mainly targeting users from France and Spain. 

The malware, Trojan.ArchiveLock, spreads via brute-force attacks against the RDP protocol. Once it infects a computer, the threat copies the console version of WinRar into a local folder, empties the Recycle Bin, deletes backups and creates a list of files that will be encrypted.

After this is done, the files are archived into a password-protected file, and the original files are deleted by a special utility.

Once the files are encrypted, the victim is presented with a warning message in which he/she is offered the password for the archive in exchange for $5,000 (3,900 EUR).

Victims of Trojan.ArchiveLock are advised not to pay the ransom. Experts also advise them not to delete any files or reinstall the operating system.

Doctor Web provides a free service to help users recover their files. If your computer has been infected with the malware, submit a ticket here under the “request for curing” category.

Comments