Winsecure Ransomware

Winsecure Ransomware is a name that computer security experts use in reference to a file encoder Trojan that was identified on July 2nd, 2018. The Winsecure Ransomware Trojan was found on computers where the user loaded a fake Adobe Flash installer, which installed the threat to the Temp folder. The Winsecure Ransomware Trojan proved to be a customized version of the Bitshifter Ransomware that was added to security databases in July 2017. It appears that the creators of Bitshifter have been busy testing a new release of their product and they continue to use compromised legitimate servers to host their 'Command and Control' infrastructure.

The Winsecure Ransomware behaves like a generic crypto- threat and encodes data on the local disks. The Winsecure Ransomware includes routines for preventing PC users from restoring their data — the Shadow Volume snapshots and system restore points are deleted before the encryption process is initiated. Almost all ransomware samples feature instructions to delete the backups made by Windows. The Winsecure Ransomware is not very different from the NMCRYPT Ransomware and the AES-Matrix Ransomware. PC users may expect to find the '.encrypted' extension on files that have been encrypted by the threat. We have seen the Trojan to encode images, presentations, PDFs, databases, spreadsheets, MP3s and video using the AES cipher. Unfortunately, the decryption key is uploaded to remote servers and recovery of the data is impossible. For example, 'Cohenite Mineral.docx' is renamed to 'Cohenite Mineral.docx,' and you can find two foreign objects on your desktop named 'ransom_pay.html' and 'ransom_note.txt.' The files on your desktop are ransom notifications from the Winsecure team and offer the following:

'MOST OF YOUR IMPORTANT FILES HAVE BEEN
ENCRYPTED BY AES 256-CBC AND RSA 2048!
well, if you want to restore all your files you should send
!--PRICE-->0.05000000 BTC to the next address as you see below
!--BTC-->[1352RtNRpYRdKLWUUDkLBUKP7p4SqMAiTF]
!--TIME-->[a string with a set date and hour] (UTC)
if you do not have these hundreds of oil - you can say goodbye permanently to your files.
after payment files will be decrypted by himself. otherwise the key will be deleted.
you can decrypt for test any 3 files not more than 2 mb for each - just drop them to
'decrypt_folder' on your desktop. how to:
* turn off any AV
* payment
* keep your PC turned on
* wait for decryption
* get your files back
you'd could use any comfortable methods to make payment.
if cryptor was deleted, find 'c3cpxEASjsBJw2p8r9aynknfLspM7nFb.GolIum'
file on your desktop. change 'GolIum' to 'exe' and run that again.
don't make any changes for files.
good luck and have a nice day.
in code we trust'

Computer security researchers have seen the Winsecure Ransomware run as 'launcher.exe' on infected machines and demand 0.05 Bitcoin (326 USD/278 EUR) from users to decode their data. The threat operators may increase the ransom amount if they find out that their Trojan has compromised office computers. Compromised users might want to remove the Winsecure Ransomware with the help of a trusted cybersecurity instrument. AV engines support detection rules for Winsecure Ransomware and might mark related files with the following names:

Dropper.Agent.Win32.273122
Ransom_BITSHIFT.A
TR/FileCoder.suebo
Trojan-Ransom.Win32.Agent.izh
Trojan.Agent.ayah
Trojan.Generic.D56709E
Trojan.GenericKD.5664926
Trojan.Siggen7.25795
W32/Trojan.KQYJ-5474
Win32.Trojan.Dropper.Jmds
a variant of Win32/Filecoder.NMU
malware (ai score=100)

SpyHunter Detects & Remove Winsecure Ransomware