Threat Database Ransomware TROJ_POSHCODER.A


By GoldSparrow in Ransomware

Ransomware variants have increased their attacks in the last couple of years. Threats designed to encrypt the victims' files are also on the rise, with new variants appearing in different languages and targeting computer users in specific geographic locations. Another aspect of these types of attacks that has become increasingly worrying is that ransomware targeting mobile devices has also begun to become more common. The TROJ_POSHCODER.A Trojan is a threat infection that uses the Windows PowerShell to encrypt the infected computer's files. Windows Powershell has been used before to prevent detection of threats on a computer. However, once PC security researchers were alerted of this tactic, this type of threat became relatively simple to deal with, and often less difficult to decrypt that other ransomware infection.

TROJ_POSHCODER.A – Unusual Components, Same Result

TROJ_POSHCODER.A is based on threatening scripts, something uncommon when it comes to ransomware infections. Using AES and RSA 4096 public key cryptography, TROJ_POSHCODER.A may encrypt the victim's files. TROJ_POSHCODER.A may change the affected computer's registry and rename encrypted files so that they'll have the .POSHCODER extension. TROJ_POSHCODER.A also may drop a file named UNLOCKYOURFILES.html with instructions for the victim. This file is essentially TROJ_POSHCODER.A's 'ransom note.'

In the TROJ_POSHCODER.A's HTML file, the persons responsible for the TROJ_POSHCODER.A attack claims that it is possible to retrieve the files by making a payment of one BitCoin, currently valued at about $600 USD. The file contains information on how to create a BitCoin wallet. In the creation process, the PC user is forced to fill out a form with information such as email addresses and BitCoin wallet information. This may place computer users at further risk. Not only do they may lose access to their files, they also may place their privacy at risk. This is what leads security experts to counsel computer users to avoid following the instructions contained in this file. Instead, computer users should remove TROJ_POSHCODER.A completely with the help of a reliable security application. If a free decryption utility is available for your computer, use it to restore your files. Otherwise, restore your files from an off-site backup.

File System Details

TROJ_POSHCODER.A may create the following file(s):
# File Name Detections
1. [filename].POSHCODER
3. %User Temp%\Quest Software\PowerGUI\{GUID}\crypter.ps1

Registry Details

TROJ_POSHCODER.A may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {GUID} = ""
HKEY_CURRENT_USER\Software\Microsoft {GUID}0 = ""


Most Viewed