Smrss32 Ransomware

The Smrss32 Ransomware is a ransomware Trojan that has caught the attention of PC security analysts because, as part of its attack, the Smrss32 Ransomware targets an extraordinary number of file types in its encryption process. The Smrss32 Ransomware will practically encrypt every type of file, currently using a list of 6674 different file extensions in its configuration files. The Smrss32 Ransomware is a relatively recent ransomware variant. The Smrss32 Ransomware was first detected in the wild in early August of 2016. The Smrss32 Ransomware receives its name because the file through which the Smrss32 Ransomware is distributed is named the Smrss32.exe. Most ransomware variants are practically identical, especially since code recycling is a common practice. However, the Smrss32 Ransomware has caught the attention of PC security analysts simply through the sheer size of the file extensions in its configuration list. In most cases, ransomware Trojans search for a number between 50 and 500 different file extensions on the victim's computer. Therefore, the Smrss32 Ransomware, which targets 6674, is definitely out of the ordinary!

The Smrss32 Ransomware Looks Like the Work of Amateurs

Curiously enough, the fact that the Smrss32 Ransomware uses such as a large list of file extensions in its configuration settings makes it likely that the people responsible for creating the Smrss32 Ransomware are probably amateurs. After all, a more experienced programmer would have used the method to indicate what not to encrypt rather than using such a large number of file extensions. Many of the file extensions on the list are duplicates, often simply changing between upper case and lower case letters. Insensitive comparing is a technique that can help programmers save a lot of time in these cases since a more experienced coder would not have had to go through the time and effort of creating such an enormous list of file extensions.

Despite the length of the list, the Smrss32 Ransomware still does not encrypt the Windows core files. Ransomware Trojans avoid encrypting essential system files since they require Windows to continue functioning to deliver their ransom note and receive payment. The Smrss32 Ransomware achieves this by preventing the encryption of files in the directories AppData, Application Data, Boot, Games, Program Files, Program Files (x86), Program Data, Sample Music, Sample Pictures, System Volume Information, Temp, Windows, cache, thumbs.db, tmp and winnt. The Smrss32 Ransomware searches for these strings in the directory names and prevents encryption if they are found.

How the Smrss32 Ransomware Infections may Occur

Various Smrss32 Ransomware infections have been the result of unsecured RDP connections. This means that the Smrss32 Ransomware is being installed manually by the con artists responsible for this threat rather than relying on more common methods such as email attachments or attack websites. There are several other ransomware families that use this method for attacking their victims, which include Apocalypse, Bucbi and Troldesh variants. Once the Smrss32 Ransomware is executed, this threat carries out a typical ransomware attack, using the AES asymmetric encryption to encrypt the files and identifying them via the '.encrypted' extension.

The Pricey Ransom Asked by the Smrss32 Ransomware

The Smrss32 Ransomware drops its ransom note in the Wallpaper directory on the victim's computer. The Smrss32 Ransomware also drops copies of its ransom note in every drive and on the affected computer's Desktop. The Smrss32 Ransomware deletes itself after carrying out its attack, presumably to prevent PC security analysts from studying its code. The Smrss32 Ransomware demands the payment of one BitCoin (approximately $600 USD) to unlock the affected files. The Smrss32 Ransomware lists an email address, which victims have to contact. At least 15 people have paid this ransom and become victims of the Smrss32 Ransomware currently. Fortunately, a decryption utility is available to help computer users decrypt their files without having to pay the Smrss32 Ransomware ransom.