H5N1 Brand novel ransomware laid on widely distributed together with infected the users based on their geolocation yesteryear checking the infected device IP address.
The ransomware was discovered yesteryear Doctor Web safety experts together with cybercriminals, who warned that the malicious programme attacks users of Windows operating systems for profit.
The preventive protection of Dr.Web Antivirus detects this Trojan nether the mention DPH: Trojan encoder nine or Trojan.Encoder.25129. This is a Trojan nil that encodes information on an infected computer.
After launch, it checks the user's place yesteryear the IP address of the infected device. According to the analysis carried out yesteryear the researchers, it seems that the malware authors designed this ransomware to avoid encrypting files for specific countries such every 2d Russia, Republic of Belarus together with Kazakhstan, every 2d good every 2d inwards the illustration where the Windows regional parameters were inwards Russian together with the Russian language. However, every 2d a upshot of an fault inwards its code, the ransomware encrypts files regardless of the geographic place of the IP address together with restoration of the files affected yesteryear this malware is impossible inwards the bulk of the cases.
The Trojan encodes the contents of the folders of the electrical flow user, the Windows desktop, together with the service folders AppData together with LocalAppData. Encryption is carried out using the algorithms AES-256-CBC, encrypted files are assigned the extension .tron.
Files larger than 30,000,000 bytes (approximately 28.6 MB) are non affected. Once the encryption is complete, the Trojan creates a file% ProgramData% \\ trig inwards which it writes the value "123" (if such a file already exists, the encryption is non done). Then the malware sends a asking to the iplogger site whose address is registered inwards his body. Then the malware displays a window amongst a ransom request.
This ransomware mainly distributed through Social media that contains a malicious Payload together with besides it distributed through network shares.