Troj/Ransom-KM
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 9,996 |
| Threat Level: | 50 % (Medium) |
| Infected Computers: | 18,598 |
| First Seen: | November 26, 2012 |
| Last Seen: | January 4, 2026 |
| OS(es) Affected: | Windows |
Troj/Ransom-KM belongs to a large family of ransomware Trojans that display fake messages from the police. Troj/Ransom-KM has been used in a recent wave of attacks involving hacked websites registered with GoDaddy. These attacks use DNS hacking techniques to force computer users to visit malicious IP addresses. There, a well known exploit kit is used to install malware on the victim's computer, eventually leading to the Troj/Ransom-KM infection, which is the main payload of these attacks. ESG security researchers advise protecting yourself from this attack by making sure that your security software has the latest security updates and that you are using it to protect your computer at all times. While safe browsing techniques will protect computer users from most malware attacks, the Troj/Ransom-KM attack involves hacked legitimate websites, meaning that Troj/Ransom-KM will affect these websites' regular visitors. It is important to note that these attacks are not the responsibility of GoDaddy but of the websites' owners. ESG malware researchers suspect that these websites may have been hacked because of a failure of using adequate passwords and security measures to protect these web pages from intruders.
Ransomware trojans are among the most common kinds of malware infections today. These kinds of attacks will typically involve a Winlocker component and a fake message from the police. The Winlocker component in Troj/Ransom-KM blocks access to the victim's files and operating system. Troj/Ransom-KM basically prevents the victim from using Windows services like the Windows Task Manager or the Windows Registry Editor and freezes the victim's screen on a full-screen ransom message. This message will usually take the form of a bogus notification from the police. The language of the victim's location (this information can be derived from the victim's IP address) will be used to write the message, and it will also include logos and insignias and make reference to that location's police agencies. The message will allege that the PC was related to illegal actions (such as downloading illegal pornography or copyright infringement). Then, Troj/Ransom-KM will demand the payment of a fine, usually the equivalent of $200 USD.
Affected computer users can often recover from a Troj/Ransom-KM infection by using alternative boot methods to gain access to their security software. Although Troj/Ransom-KM blocks access to your files and programs, they are still there; it is only necessary to gain access to them by starting up Windows in a different way (for example, using the command line or an external drive). Once this is done, a fully up-to-date anti-malware solution should be capable of removing Troj/Ransom-KM; in fact, manual removal is not difficult and only requires basic knowledge of the Windows Registry.
Table of Contents
Analysis Report
General information
| Family Name: | PUP.GameHack.HD |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
7c95992110abc0a16b8fca086ea3c613
SHA1:
de48ff9945b38b712707d77bc2abc9dff99dce73
SHA256:
8BAEEFD86AE767DCF699C3EED07C9CF69C6D049B6BC6767A3F2E19BC11FA1A76
File Size:
644.61 KB, 644608 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have exports table
- File doesn't have security information
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
Show More
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Traits
- imgui
- No Version Info
- WriteProcessMemory
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,125 |
|---|---|
| Potentially Malicious Blocks: | 367 |
| Whitelisted Blocks: | 488 |
| Unknown Blocks: | 270 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Anti Debug |
|
| User Data Access |
|
