PSCrypt targets Windows OS and is distributed via Remote Desktop Protocol (RDP) compromise. This variant is based on GlobeImposter 2.0 and it primarily impacted victims within Ukraine when the campaign started on Wednesday, June 21, 2017. Once the malicious actor gains access to a targeted system, he drops a file named either wmodule.exe or wmodule.zip to install the ransomware. It appends .pscrypt to the names of encrypted files and drops a ransom note written in Ukrainian and named Paxynok.html. The ransom note demands that victims locate an iBox terminal, a type of ATM machine only available in Ukraine, and deposit 2,500 Ukrainian Hryvnia (approximately 100 USD). Afterwards, they must purchase Bitcoin using the BTCU.biz currency exchange and take a picture of the transaction to send to the attacker.
Extensions appended to file names:
Ransom note file names:
Email address associated with PSCrypt:
Bitcoin wallet address associated with PSCrypt:
- Bleeping Computer provides more information about PSCrypt here.
- The NJCCIC is not currently aware of any free decryption tools available for PSCrypt.