AndreaGalli Ransomware

The AndreaGalli Ransomware is named after the user account under which it was found to be deployed. Computer security researchers found samples of a generic file cryptor tittled 'Ransomware Cryptolocker.pdb' that was submitted to an online security platform on July 13th, 2018. It was uncovered that the threat was uploaded from 'C:\Users\andrea.galli\iCloudDrive\Desktop\Ransomware Cryptolocker\ransomware_cryptolocker\obj\Debug\Ransomware Cryptolocker.pdb.' The AndreaGalli Ransomware is programmed to produce a fake 'Java Update' message as a way to dissuade PC users from operating their computers for a few minutes while the encryption process is on the way in the background. The AndreaGalli Ransomware may encrypt the files with the following extensions:

.3gp, .avi, .bmp, .cdr, .csv, .dat, .db, .djvu, .docm, .doc, .epub, .docx, .flv, .gif, .iso .ibooks, .jpeg, .jpg, .mdb .md2, .mdf, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .sav, .tiff, .tif, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psp, .pdb, .casb, .ccp, .cr2.

Affected data containers are represented by generic white icons and have the '.locked' extension. For example, 'Cape chestnut—Calodendrum capense.docx' is renamed to 'Cape chestnut—Calodendrum capense.docx.locked.' We have not found a ransom note in 'Ransomware Cryptolocker.pdb' as the developers are yet to reveal their goals. There are no reports of an ongoing distribution campaign for the AndreaGalli Ransomware, but that may change soon. The AndreaGalli Ransomware may be still in development at the time of writing, but that does not mean it will not be pushed to users sometime in the future. Threat actors are likely to use logos of trusted Internet service providers and hot public topics to lure PC users into loading the threat payload. The most abused feature in Windows is Macros, which allows for arbitrary code execution with top-level privileges. It is best to disable Macros in your Microsoft Office suite as a way to minimize your attack surface. Do not open files from questionable sources and add a capable backup manager so that you have backup images to roll back if the worst comes to pass. AV companies are using the following detection names for any code that is found to have a connection with the AndreaGalli Ransomware:

Artemis!D84ADA9E67EE
HEUR/QVM03.0.F235.Malware.Gen
Ransom.Crypt0L0cker
Ransom_Ryzerlo.R002C0SGA18
Trojan.Generic.D1DA3395
Trojan.Ransom.CryptoLocker (A)
W32.Troj.Ransom.Filecoder!c
W32/Trojan.BQTF-8685
Win32.Trojan-Ransom.Filecoder.P@gen
malicious_confidence_100% (D)
variant of MSIL/Filecoder.AK