Trojan.Encoder.6491
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | October 13, 2016 |
| Last Seen: | January 21, 2022 |
| OS(es) Affected: | Windows |
The boring name of Trojan.Encoder.6491 hides an interesting story. The Trojan.Encoder.6491 is the first encryption Trojan that is written in Google's Go programming language (a.k.a. golang), which was revealed to the public back in 2009. The Trojan.Encoder.6491 was detected in October 2016 and is reported to masquerade as a security update for the Microsoft Windows systems. The payload of the Trojan.Encoder.6491 is known to use the name 'Windows_Security.exe.' The Trojan.Encoder.6491 ransomware may be delivered to users as spam emails that feature the logo of Microsoft. These messages may resemble the design of Support.microsoft.com, which is the official support page for Windows users. That way the fake 'Windows_Security.exe' update might look legitimate to some computer users.
Table of Contents
The Trojan.Encoder.6491 Utilizes Multi-Threading and Takes Advantage of Multi-Core Processors
Malware analysts report that the Trojan.Encoder.6491 ransomware scans the infected PC for 140 types of data containers and can lock files on connected drives. Needless to say, family photos, documents for your work, and databases are more than likely to be encrypted by the Trojan.Encoder.6491. The Trojan.Encoder.6491 ransomware is likely to disrupt the operation of server networks and specialized software for a prolonged period. The coders of the Trojan.Encoder.6491 ransomware designed it to avoid encryption of objects in the following directories:
- AppData
- Boot
- Program Files
- Program Files (x86)
- ProgramData
- Recycle.Bin
- System Volume Information
- Windows
- temp
- winnt
The Trojan.Encoder.6491 will not Modify the Content of System Folders
The Trojan.Encoder.6491 is similar to the KillerLocker and the Kostya Ransomware. Experts note that the Trojan.Encoder.6491 will not encode data in folders that support the OS and allow users to deliver payment from the infected machine. Files that are modified by Trojan.Encoder.6491 can be recognized easily. The Trojan.Encoder.6491 ransomware uses the base64 encoding to change file names and appends the '.enc' extension to affected data containers. For example, 'vespa_mandarinia_japonica.png' will be converted to 'dmVzcGFfbWFuZGFyaW5pYV9qYXBvbmljYQ==.enc.' The random message is packed as 'instructions.html' and is loaded by the Trojan.Encoder.6491 in the default browser automatically. The message says:
'ALL YOUR FILES HAS BEEN ENCRYPTED
FM your files have been encrypted using AES 256, there Is no way to decrypt than by yourself If you want to decrypt them you have to pay approximately 25$ in Bitcoins to the follow, address:
Amount 0.052300 BTCs
To the address [34 random characters]
Do not worry If you don't know what Bitcoins are, they are an online currency
that Is not regulated by any government, the price changes daily but now is near the 600$ usd dollars
To get some Bitcoins you can go to some of this web pages
- Coinbase
this page you can store your ImIcoms and also buy than using your credit card,
It Is a safe page, you can check it online you aren't sure
- locallutcoms.com
This a web where people contact each others to exchange Bitcoins for money in paypal, in cash if you find someone nearby and many other ways
I strongly recommend coinbase.com as you can be done in 15 minutes and your files will start decrypting
I recommend you look for info online If you don't want to use coinbase.com
IT IS EXTREMELY IMPORTANT THAT YOU SEND THE EXACT AMMOUNT AND THAT THIS PROGRAM IS RUNNING
WHILE YOU MAKE THE PAYMENT TO BE ABLE TO CONFIRM THE TRANSACTION
If you can't figure mg something send me an email to helpmedecrypt@protomnail com
You have 72 hours form now to send the payment or you will lose all the data so don't wait to send an email if you don't know something.
I hope to hem from you soon.'
The Files are Encrypted with the AES Cipher but Decryption is Possible
The Trojan.Encoder.6491 requires users to leave its main executable running on the system and pay 0.052300 Bitcoins, which equals approximately 33 USD. Experts do not encourage paying the ransom because you do not have a guarantee that a decryption key will be sent to your PC. It is possible to decrypt the files affected by Trojan.Encoder.6491 but it will cost you nearly as much as complying with the terms of the Trojan.Encoder.6491. Computer users may consider buying a commercial license for decryption software designed to unlock data corrupted by the Trojan.Encoder.6491. However, there is a third option—you can use a trusted anti-malware utility to delete the Trojan.Encoder.6491 and use backup images to recover your data for free. Backup images allow users to deal with threats like the Trojan.Encoder.6491 and the Cerber3 Ransomware effortlessly.
