Recently, ransomware removal analysts manage to uncover a new cyber threat. As users reported their loss of access to crucial data, a ransomware by the name of Monro was found to be the culprit. Users were tricked into downloading the malicious payload of the ransomware from spam emails where attachments in the .docx and .pdf formats carried the ransomware’s infection components.
The ransomware also propagates through various websites on the internet, especially the ones with weak security and websites that encourage users to download freeware. Hence, the probability of a Monro Ransomware attacking your PC depends highly on your internet behavior.
Post-infection, the ransomware goes in the Temp folder of Windows where it takes certain liberties with the OS. Subsequently, it locks the files in a computer. These files are modified with an added extension of “id-[victim’s_ID].[icrypt@cock.li].monro”. For example, if you have a file with the name of “graduation_pic.png” in your computer that cannot be opened or accessed, then it may appear as “graduation_pic.png.id-2D769A55.[icrypt@cock.li].monro”.
The encryption utilizes the cryptographic algorithm by the name of AES (Advanced Encryption Standard). The ransomware is smart enough to delete the copies of shadow volume of the encrypted files, which makes the ransomware removal and recovery process complex.
After the successful completion of the encryption process, two additional files are created: A text document named “FILES ENCRYPTED.txt” and a HTML application “Info.hta”. These files entail the ransom note.
Like other ransom notes, the note begins with the acknowledgment that the ransomware has encrypted the user’s data. An email address of icrypt@cock.li is provided for communication where an ID – provided in the ransom note – has to be put in the subject line of the email. Ransom is asked in the form of Bitcoin while the exact amount is stated to be informed via email. The note ends with a warning against any attempt at ransomware removal.
