Threat Finder Ransomware, suspected to be Cryptolocker cousin, surfaces

A new ransomware called as “Threat Finder” has been discovered by a security researcher at Rackspace. Threat Finder is feared to be a copy of Cryptolocker and can infect Windows PC’s via multiple sources; the most common infection is when a user browses a compromised website.

Threat Finder’s discovery means that online community is exposed to a fatal malware that targets personal files and folders, encrypting them and asking ransom for decryption. Also, it reaffirms the fact that Cryptocker ransomware was indeed never eliminated. On the contrary, it was just waiting to resurface with another name.

Threat Finder Ransomware

Threat Finder Ransomware

Threat Finder was reported in January 2015 by security researchers. Brad Duncan, the Security Researcher at Rackspace, came across the ransomware on Tuesday, April 7th, 2015 when it infected a Windows host.

Brad says that the host was infected when casual web browsing led to the Angler exploit kit. After the infection, the host’s personal files were encrypted, and instructions for Threat Finder v2.4 appeared on the desktop screen.

An example of a successful Threat Finder attack:

  • Step 1: The user viewed a compromised website that generated behind the scenes traffic for Angler exploit kit.
  • Step 2: The vulnerable Windows host was infected by the Angler exploit kit.
  • Step 3: The exploit kit sent Bedep malware, commonly seen from Angler [3].
  • Step 4: Bedep downloaded more malware, including Threat Finder.
  • Step 5: Threat Finder encrypted the user’s personal files and displayed instructions to recover the data.

On a successful attack, the infected host computer contains at least one registry entry for a file named reg.dll.

Further analysis by revealed that, reg.dll generated traffic to, sending approximately 217 KB of data to the infected host. The analysis shows dropped files that are images for Threat Finder’s decrypt instruction. Threat Finder asks ransom via Bitcoin, however, there is no certainty that attackers would give decryption code after they receive the money.

What you should do when infected with Threat Finder

Sadly, there is no such trick to save your personal folders once you are infected with this dangerous malware. The only solution to save your data is to take timely backups and take the usual steps to Prevent Ransomware from getting onto your computer.

Download this VPN to secure all your Windows devices and browse anonymously
Posted by with Tags
Anand Khanse is the Admin of and a 10-year Microsoft MVP Awardee in Windows for the period 2006-16. He enjoys following and reporting Microsoft news and developments in the world of Personal Computing & Social Media.