The designer of Evil (ransomware) looks familiar with forensic investigation. His design first approach to execute the task is going to delete all the executable file from the following folder.
- Execute command dir / b / s / x generate the file inventory list then save in encrypted format with naming convention 443.exe. Evil make use of ready make solution. Yes, it is a JavaScrypt (Browser-Based Cryptography Tools). JavaScrypt’s encryption facilities use the Advanced Encryption Standard (AES) adopted by the United States as Federal Information Processing Standard 197. JavaScrypt uses 256 bit keys exclusively.
- Key generation and encryption (Remark: below details is intended to provide concept for education only.
*.doc *.xls *.pub *.odt *.ods *.odp *.odm *.odc *.odb*.wps *.xlk *.ppt *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd *.rtf *.wb2 *.mdf *.dbf *.psd *.pdd *.eps *.ai *.indd *.cdr img_*.jpg *.dng *.3fr *.arw *.srf *.sr2 *.bay *.crw *.cr2 *.dcr *.kdc *.erf *.mef *.mrw *.nef *.nrw *.orf *.raf *.raw *.rwl *.rw2 *.r3d *.ptx *.pef *.srw *.x3f *.der *.cer *.crt *.pem *.pfx *.p12 *.p7b *.p7c
Hash sample: 1817853fdaf2d35988ca22a6db2c939e0f56664576593d325cfd67d24e8fb75c
Current status: 24th Jan 2017
No worries, most popular of antivirus programs are able to detect Devil ransomeware.
For example: Kaspersky,F-Secure,Symantec,TrendMicro. How about Mcafee. It looks that their signature do not have coverage.