Serpico Ransomware

The Serpico Ransomware is a dangerous variant of the DetoxCrypto family of threats. The variants of the Serpico Ransomware seems to be written in Serbian and Croatian and designed to attack computer users in these countries. The Serpico Ransomware does not add a special extension to the files that it encrypts, unlike many other ransomware threats. The Serpico Ransomware has received this name because of the directory name it uses to save the files associated with the Serpico Ransomware attack.

The Serpico Ransomware and Other DetoxCrypto Family Variants

The Serpico Ransomware and other variants in this family of threats seem to be created using a threat builder, resulting in attacks that have very different ransom notes and superficial characteristics while carrying out the same attack at their core. There were two previous variants in this family, one using content related to PokemonGO and the other using a scarier approach and including a backdoor component.

The Serpico Ransomware may be related to a RaaS (Ransomware as a Service) service that is active on the Dark Web currently. Con artists may create the Serpico Ransomware variants and operate on an affiliate system, giving a percentage of their earnings to the creators of this ransomware family. The Serpico Ransomware and all of its variants use the AES encryption to encrypt data on the victim's computer. The Serpico Ransomware and its variants stop the MySQL and MSSQL services on the infected machine, display a LockScreen with the ransom note, and also play an audio file in the background. For example, in the case of the Pokemon Go variants, an audio file containing a video game music would be played. Like its variants, the Serpico Ransomware's ransom note instructs the victim to contact an included email address in order to pay the ransom.

The Serpico Ransomware Attack

The Serpico Ransomware and its variants use a single executable file in their distribution vectors (for example, attached as an email attachment). When this corrupted executable file runs, it extracts several files to the victim's computer. In the case of the Serpico Ransomware and other variants in this family, the files extracted are the executable that carries out the encryption (which may have an innocuous name that makes it appear as a legitimate Windows process). In previous variants, this file has been named 'MircosoftHost.exe.' The other files that are installed include an audio file that plays in the background when the ransom note is displayed, an image file that is used to change the infected computer's wallpaper image into a ransom note, and an additional executable file, which displays the LockScreen and provides the means to decrypt the files when the victim enters the correct password. In the case of the Serpico Ransomware, the following files have been observed in attacks:

C:\Users\User_name\the Serpico\bg.jpg
C:\Users\User_name\the Serpico\key.pkm
C:\Users\User_name\the Serpico\the Serpico.exe
C:\Users\User_name\the Serpico\sound.wav
C:\Users\User_name\the Serpico\total.pkm
C:\Users\User_name\Desktop\MotoxUnlocker.exe

During its attack, the Serpico Ransomware will encrypt the following file types:

.3ds, .7z, .acbl, .all, .backup, .bak, .bmp, .bz2, .cab, .cdr, .cer, .cpr, .crt, .cs, .csv, .dat, .db, .dbf, .der, .doc, .docx, .dwg, .eps, .gif, .ibd, .ibz, .iso, .jpeg, .jpg, .mdb, .mdf, .myd, .pdf, .php, .png, .ppt, .pptx, .psb, .pst, .rar, .rns, .s3db, .sql, .sqlite, .sqlitedb, .tar, .txt, .xls, .xlsx, .xlt, .xltx, .xml, .zip.

The full text of the Serpico Ransomware ransom note reads:

SVI VAŠI FAJLOVI SU ZAKUUČANI!
Svi važni fajlovi na vašem kompjuteru su zaključani i nemoguće je razbiti enkripciju. NEMOGUĆE JE RAZBITI CryptoLocker.
Ako želite fajlove natrag javite se na mail:
motox2016@mail2tor.com
NAPOMENA:
Nemojte brisati ovaj program jer će biti potreban da bi vratili fajlove. Dobit ćete na mail upute i ključ koji ćete unijeti i svi fajlovi će biti vraćeni. Vrlo jednostavno, samo se javite na mail i dogovorimo se oko povratka fajlove.
Ako pokušate očistit ovaj program ili sami nešto popraviti moguće je da zauvijek oštetite i izgubite podatke zato je najbolje rješenje da se javite.
OTKUPNINA ZA SVE VAŠE FAJLOVE I TRAJNU ZAŠTITU OD SLIČNIH PROVALA JE SAMO 50€. JAVITE SE NA MAIL.

SpyHunter Detects & Remove Serpico Ransomware