With the rise in the Internet usage, the security threats have also increased. It is every day that we come across the new type of virus, ransomware, and malware. EduCrypt is yet another new Ransomware, but it begs to differ from the others. Just like other Ransomware, Educrypt will encrypt the victim’s file but instead of asking for a ransom it gives it away for free!
EduCrypt educational ransomware
EduCrypt is based on Hidden Tear ransomware and the sample has been created by using Confuser. The Ransomware encrypts only a small part of the file and folders and it doesn’t communicate with the Command and Control server. It is now clearly established that the EduCrypt is a harmless Ransomware which intends to teach users a lesson.
This is how it works. Once the EduCrypt gains access to the system it starts encrypting the folders with the file extensions below.
.txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg
The encrypted files will match a certain extension and will be encrypted with a static password of HDJ7D-HF54D-8DN7D. The encrypted files will then make use of the .isis file extension. The ransomware shows off all the file extensions that will be encrypted by the EduCrypt.
Once the encryption process ends a note called README.txt is created on the desktop and the note also comes with a link to the decryptor. The .txt file resides in the following location %UserProfile%\Documents\DecryptPassword.txt
While we do think that this is a bit of extreme step to teach the users a lesson, it sure is effective. Often we dont take the basic ransomware prevention steps and let our guards down and take Internet security for granted and it is incidents like this that turn out to be eye openers.