Threat Database Ransomware Serpico Ransomware

Serpico Ransomware

By CagedTech in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 1
First Seen: August 29, 2016
Last Seen: January 10, 2019
OS(es) Affected: Windows

The Serpico Ransomware is a dangerous variant of the DetoxCrypto family of threats. The variants of the Serpico Ransomware seems to be written in Serbian and Croatian and designed to attack computer users in these countries. The Serpico Ransomware does not add a special extension to the files that it encrypts, unlike many other ransomware threats. The Serpico Ransomware has received this name because of the directory name it uses to save the files associated with the Serpico Ransomware attack.

The Serpico Ransomware and Other DetoxCrypto Family Variants

The Serpico Ransomware and other variants in this family of threats seem to be created using a threat builder, resulting in attacks that have very different ransom notes and superficial characteristics while carrying out the same attack at their core. There were two previous variants in this family, one using content related to PokemonGO and the other using a scarier approach and including a backdoor component.

The Serpico Ransomware may be related to a RaaS (Ransomware as a Service) service that is active on the Dark Web currently. Con artists may create the Serpico Ransomware variants and operate on an affiliate system, giving a percentage of their earnings to the creators of this ransomware family. The Serpico Ransomware and all of its variants use the AES encryption to encrypt data on the victim's computer. The Serpico Ransomware and its variants stop the MySQL and MSSQL services on the infected machine, display a LockScreen with the ransom note, and also play an audio file in the background. For example, in the case of the Pokemon Go variants, an audio file containing a video game music would be played. Like its variants, the Serpico Ransomware's ransom note instructs the victim to contact an included email address in order to pay the ransom.

The Serpico Ransomware Attack

The Serpico Ransomware and its variants use a single executable file in their distribution vectors (for example, attached as an email attachment). When this corrupted executable file runs, it extracts several files to the victim's computer. In the case of the Serpico Ransomware and other variants in this family, the files extracted are the executable that carries out the encryption (which may have an innocuous name that makes it appear as a legitimate Windows process). In previous variants, this file has been named 'MircosoftHost.exe.' The other files that are installed include an audio file that plays in the background when the ransom note is displayed, an image file that is used to change the infected computer's wallpaper image into a ransom note, and an additional executable file, which displays the LockScreen and provides the means to decrypt the files when the victim enters the correct password. In the case of the Serpico Ransomware, the following files have been observed in attacks:

C:\Users\User_name\the Serpico\bg.jpg
C:\Users\User_name\the Serpico\key.pkm
C:\Users\User_name\the Serpico\the Serpico.exe
C:\Users\User_name\the Serpico\sound.wav
C:\Users\User_name\the Serpico\total.pkm

During its attack, the Serpico Ransomware will encrypt the following file types:

.3ds, .7z, .acbl, .all, .backup, .bak, .bmp, .bz2, .cab, .cdr, .cer, .cpr, .crt, .cs, .csv, .dat, .db, .dbf, .der, .doc, .docx, .dwg, .eps, .gif, .ibd, .ibz, .iso, .jpeg, .jpg, .mdb, .mdf, .myd, .pdf, .php, .png, .ppt, .pptx, .psb, .pst, .rar, .rns, .s3db, .sql, .sqlite, .sqlitedb, .tar, .txt, .xls, .xlsx, .xlt, .xltx, .xml, .zip.

The full text of the Serpico Ransomware ransom note reads:

Svi važni fajlovi na vašem kompjuteru su zaključani i nemoguće je razbiti enkripciju. NEMOGUĆE JE RAZBITI CryptoLocker.
Ako želite fajlove natrag javite se na mail:
Nemojte brisati ovaj program jer će biti potreban da bi vratili fajlove. Dobit ćete na mail upute i ključ koji ćete unijeti i svi fajlovi će biti vraćeni. Vrlo jednostavno, samo se javite na mail i dogovorimo se oko povratka fajlove.
Ako pokušate očistit ovaj program ili sami nešto popraviti moguće je da zauvijek oštetite i izgubite podatke zato je najbolje rješenje da se javite.

SpyHunter Detects & Remove Serpico Ransomware

File System Details

Serpico Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe 829f047ee3ff90e81ad056eb5ba4303c 0
2. Serpico.exe 20791a1eb2b03a211f48e33ef39f97c6 0


Serpico Ransomware may create the following directory or directories:



Most Viewed