Pshcrypt Ransomware

The PshCrypt Ransomware is a ransomware Trojan that is being used to attack computer users located in Brazil. The PshCrypt Ransomware attacks have surfaced starting in late April 2017 and will affect the computers that execute the Windows operating system. Although the PshCrypt Ransomware attacks seem to be concentrated in Brazil, there is nothing stopping the PshCrypt Ransomware attack from surfacing in other geographical locations. The majority of the PshCrypt Ransomware attacks seem to be the result of compromised computers and networks through weak Remote Desktop Connections or passwords.

Web Servers and Corporate Networks are the Main Targets of the PshCrypt Ransomware

The main target of the PshCrypt Ransomware attacks is Web servers and corporate networks. The people responsible for the PshCrypt Ransomware will look for poorly protected computers and networks, taking advantage of weak passwords or other possible vulnerabilities. The file containing the PshCrypt Ransomware attack has often been identified as 'Xexplorer.exe.' A sample of the PshCrypt Ransomware provided the following information:

'Copyright: Copyright © Penis 2017
Product: Une bite
Original name: XExplorer.exe
Internal name: XExplorer.exe
File version: 9999.9999.9999.9999
Description: Windows Explorer
Comments: Windows Explorer

The PshCrypt Ransomware carries out a typical ransomware attack, using the AES and RSA encryption to make the victim's files inaccessible by encrypting them and preventing access to the decryption key required to recover the affected files. The PshCrypt Ransomware will encrypt files on all local drives, as well as on network storage and removable memory devices connected to the affected computer. The PshCrypt Ransomware will encrypt a wide variety of file types, including the following:

.png, .psd, .pspimage, .tga, .thm, .tif, .tiff, .yuv, .ai, .eps, .ps, .svg, .indd, .pct, .pdf, .xlr, .xls, .xlsx, .accdb, .db, .dbf, .mdb, .pdb, .sql, .apk, .app, .bat, .cgi, .com, .exe, .gadget, .jar, .pif, .wsf, .dem, .gam, .nes, .rom, .sav, .dwg, .dxf, .gpx, .kml, .kmz, .asp, .aspx, .cer, .cfm, .csr, .css, .htm, .html, .js, .jsp, .php, .rss, .xhtml, .doc, .docx, .log, .msg, .odt, .pages, .rtf, .tex, .txt, .wpd, .wps, .csv, .dat, .ged, .key, .keychain, .pps, .ppt, .pptx, .ini, .prf, .hqx, .mim, .uue, .7z, .cbr, .deb, .gz, .pkg, .rar, .rpm, .sitx, .tar.gz, .zip, .zipx, .bin, .cue, .dmg, .iso, .mdf, .toast, .vcd, .sdf, .tar, .tax2014, .tax2015, .vcf, .xml, .aif, .iff, .m3u, .m4a, .mid, .mp3, .mpa, .wav, .wma, .3g2, .3gp, .asf, .avi, .flv, .m4v, .mov, .mp4, .mpg, .rm, .srt, .swf, .vob, .wmv, .3d, .3dm, .3ds, .max, .obj, .bmp, .dds, .gif, .jpg,.crx, .plugin, .fnt, .fon, .otf, .ttf, .cab, .cpl, .cur, .dll, .dmp, .drv, .icns, .ico, .lnk, .sys, .cfg

The files encrypted during the PshCrypt Ransomware encryption can be identified by the file extension '.psh,' added to the end of each file's name. After encrypting the victim's files, the PshCrypt Ransomware delivers the following poorly written ransom note, alerting the victim of the attack and demanding the payment of a ransom:

'Tour files are encrypted !
Enter the serial code to decrypte your file
How to get a serial key :
First buy 0.05 bitcoin
Than send this 0.05 bitcoin to this bitcoin wallet :
Then take the 4 first character of the transaction ID
Then press the "Decrypte" button
Serial code : (Only Upper)
[FOUR TEXT BOXES]
[Decrypte]
Warning :
If your transaction number don't work, please wait up to 48 hours (2 day) and retry'

The Ransom Amount Demanded by the PshCrypt Ransomware

The PshCrypt Ransomware demands 0.05 Bitcoin (approximately $70 USD). This is a small amount compared to the average asking price of $500-$1500 USD used by most ransomware Trojans. However, PC security strongly researchers advise computer users to refrain from paying these ransoms since it simply allows these people to continue financing the production of ransomware Trojans like this one. The number of ransomware attacks active currently continues to increase, and the move towards lower ransom amounts observed in many of them may be in part due to competition and the refusal of many victims to pay. It is important, in the future, to continue ignoring any demand from these fraudsters since payment often leads to further demands and reinfection.

SpyHunter Detects & Remove Pshcrypt Ransomware