Threat Database Ransomware Serpent Ransomware

Serpent Ransomware

By GoldSparrow in Ransomware

The Serpent Ransomware is a successor to the PayDOS Ransomware and is packed as a batch file that is dropped on the PC via an executable attached to spam emails. The Serpent Ransomware depends on the Windows Command Prompt and cannot be run with a simple double-click. The executable responsible for the deployment of the Serpent Ransomware is programmed to call CMD.exe and execute the Serpent Ransomware. Researchers note that the Serpent Ransomware is still in development and we may see encryption engines being implemented in future releases.

The Version of the Serpent Ransomware Released in November 2016 Does not Encrypt Files

As of November 2016, the Serpent Ransomware is designed to rename file extensions without making changes to the file names. For example, 'Pieridae_chrysalis.png' will be changed to Pieridae_chrysalis.dng'. If you alter the file extensions from DNG to PNG manually the file will appear as normal and can be read by image viewers on your PC. In-depth analysis of the initial release of the Serpent Ransomware revealed that the Trojan is programmed to scan the default user library and AppData for the following file formats:

.avi, .dav, .dgg, .dif, .dng, .dnk, .dov, .dp3, .dp4, .dpg, .drl, .dsi, .dvi, .dxe, .dxt, .exe, .gif, .Ink, .jpg, .mov, .mp3, .mp4, .msi, .ogg, .png, .txt, .url, .wav.

The Serpent Ransomware might alter files that are used by software on your PC and cause issues with software like database managers. The ransom note is presented within a CMD window, which features a solid black background and text in white. We might see a surge in batch script-based ransomware since it is relatively easy to make batch scripts. The note showed by the Serpent Ransomware reads:

Hello User,
Your files have been all encrypted using a heavy encryption
called "RSA-2048". You will not be able to access the files
unless you have been provided the PASSCODE. This unfortunate
event has a solution By paying a small fee you can
get all of your files back as you will be sent the passcode.
You can find the contact information below...


The Initial Release of the Serpent Ransomware Does not Implement an RSA-4096 Cipher

As stated above, the files are not encrypted by using the SA-2048 cipher—the extension is renamed. Windows Explorer will bring up an alert that the file is not recognized if you attempt to open a file altered by the Serpent Ransomware. The email listed above is fake, and new releases of the Serpent Ransomware may provide a functional email address for contact. Researchers found out that the initial release of the Serpent Ransomware has a hard coded passcode, which can be used to reverse the alterations it has made to data on your PC. Users that are infected with the Serpent Ransomware could type in the passcode RSA1014DJW2048 on the ransom window, and their data should revert to normal. You will need to scan your PC with a trusted anti-malware scanner to make sure the Serpent Ransomware was eliminated.

SpyHunter Detects & Remove Serpent Ransomware

File System Details

Serpent Ransomware may create the following file(s):
# File Name MD5 Detections
1. software.exe d2c1d7f0003cfc2d3fc7696da1bf0311 0

Related Posts


Most Viewed