Zlovred Polyglot appeared in late August. The program is distributed in spam descriptions that contain a malicious executable file packaged in a RAR archive. After starting the user, it seems that nothing happened. However, in fact, Polyglot copies itself under random names in ten seats and is prescribed in the auto start.
After introducing into the system, encryption begins. Outwardly encoded user files do not change, since their names remain original. However, it will not be possible to open such files.
Having finished encryption, the evil changes the desktop screensaver and removes the window with the requirements of the ransom. At the same time, the user is invited to decrypt several files for free — This demonstrates the possibility of restoring access to data. At the same time, if payment is not made on the time indicated by the attackers, the evil leaves the files with encrypted and is self -applied from the infected device.
It is curious that the new code is very similar to the long-known CTB-Locker. Despite the fact that there was no common code in two programs, Polyglot repeats CTB-Locker literally in everything.
Analysis carried out by specialists «Kaspersky laboratories», showed that Polyglot uses a very unstable key generation algorithm. Thanks to this, it was possible to quickly choose the key by the method of sprouting and create a tool that helps the victims of the merciful to restore encrypted files.
Source:
- Kaspersky laboratory