ACCDFISA v2.0 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 7,267 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 5,389 |
| First Seen: | October 27, 2017 |
| Last Seen: | January 23, 2026 |
| OS(es) Affected: | Windows |
The ACCDFISA v2.0 Ransomware is an encryption ransomware Trojan that is in its second release. The first version of the ACCDFISA v2.0 Ransomware was active in February of 2012 so that the ACCDFISA v2.0 Ransomware seems to be quite an old ransomware family. The original version of the ACCDFISA v2.0 Ransomware carried out a typical scareware tactic that was popular at that time. The ACCDFISA v2.0 Ransomware uses an updated attack method that involves encryption algorithms, which are favored by most modern encryption ransomware Trojans. Like other encryption ransomware Trojans, the ACCDFISA v2.0 Ransomware is designed to encrypt the victim's files and then require a ransom in exchange for the decryption key needed to recover the infected files. The ACCDFISA v2.0 Ransomware is delivered using corrupted spam email messages, which may use social engineering tactics to induce computer users into opening a corrupted attachment, which includes corrupted macro scripts that download and install the ACCDFISA v2.0 Ransomware unto the victim's computer.
Table of Contents
The ACCDFISA v2.0 Ransomware Hides Its Activities
The ACCDFISA v2.0 Ransomware is installed on the AppData folder and carries out a typical encryption ransomware Trojan attack, encrypting the user-generated files while avoiding Windows system files (these threats need Windows to remain functional so that they can deliver a ransom note to the victim and have the victim pay the ransom). The following are examples of the file types that are encrypted in attacks like the ACCDFISA v2.0 Ransomware:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
The ACCDFISA v2.0 Ransomware will inject its processes into legitimate file processes to hide its activities. However, the ACCDFISA v2.0 Ransomware also will create an executable file named 'Decrypt.exe' in a directory named 'Decrypt' on the main system drive. After encrypting the victim's files, this executable file runs and delivers a ransom note.
The ACCDFISA v2.0 Ransomware’s Ransom Note
The ACCDFISA v2.0 Ransomware's ransom note is delivered in a program window that is named 'Malware protection' and launched by the executable file mentioned above. This program window contains the following message:
'Warning! Access to your computer is limited and all your important files has been decrypted with AES-256-KEY.
A mailing (spam) was detected on your computer that was sending a very dangerous polymorphic virus, which contradicts the law and harms other network users. Your computer has been also infected by this very dangerous polymorphic virus, which modifies itself every 24 hours and in this case virus detection by antiviruses is very difficult.
You need to buy and send an sms with MoneyPak or Paysafecard or Ukash code ($300 or 300 euros) and your Reference Number to our special service phone number or email.
After that, our experts within 1-3 hours will perform an audit to clean up your computer from this very dangerous polymorphic and send you sms on the cell phone or email (from which you sent the code and reference number) password (which unlocks your computer and decrypts your files) and this must be entered below.'
However, there is no truth to this message, which claims that it is there to protect you from threats. Fortunately, a decryption program for the ACCDFISA v2.0 Ransomware has been released and is available at the following link:
Karwos[.]net/accdfisa20/
It is likely that the con artists will update the ACCDFISA v2.0 Ransomware eventually to bypass the current access to a decryption program.
Analysis Report
General information
| Family Name: | Trojan.Blackmoon.A |
|---|---|
| Packers: | UPX! |
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
8051c86d897bf4b1fc13ba886a14dee9
SHA1:
40f23ca8da2d9c82fb92e29d7bbc26b87a87aa68
SHA256:
5ECA3D0B67DE81C5057225294E0BCD60EDE50609F5DF4ADCDEDA2750FB75E493
File Size:
8.94 MB, 8937230 bytes
|
|
MD5:
a004f4e14a84b89ea74272c3b860baa4
SHA1:
57d97c44c359948c6bd362e29eeda2a04054f7e2
SHA256:
5E804EE6D5A51DB969C97B866A03E68F1A7DDD0094CBB91E7D832F7FF3A0FB6E
File Size:
40.96 KB, 40960 bytes
|
|
MD5:
326b873b5863f30991745276d01b111b
SHA1:
377814953aa0dcb0e3c7c1048034d38ee1d059dc
SHA256:
6EB67922254BF1E6DEF3FB947F373E70BE0DC09508DB40235470D8C3A3F28A93
File Size:
1.40 MB, 1397760 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have resources
- File doesn't have security information
- File has been packed
- File has exports table
- File is 32-bit executable
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| File Version | 1.00 |
| Internal Name | TJprojMain |
| Original Filename | TJprojMain.exe |
| Product Name | Project1 |
| Product Version | 1.00 |
File Traits
- 2+ executable sections
- dll
- HighEntropy
- packed
- themida
- themida section variant
- UPX!
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,625 |
|---|---|
| Potentially Malicious Blocks: | 1,031 |
| Whitelisted Blocks: | 272 |
| Unknown Blocks: | 1,322 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| c:\users\user\adb.exe | Generic Write,Read Attributes |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Other Suspicious |
|
| Syscall Use |
Show More
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Anti Debug |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\57d97c44c359948c6bd362e29eeda2a04054f7e2_0000040960.,LiQMAxHB
|
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\377814953aa0dcb0e3c7c1048034d38ee1d059dc_0001397760.,LiQMAxHB
|
