'Fake Ransomware' is Named Appropriately
There is a new ransomware out in the wild, but in reality, it does not really conform to the definition of ransomware.
In reality, the Fake ransomware only renamed a file in a way that is confusing and does not do any actual encryption. While most ransomware variants would encrypt files in a managed manner and the ransomware operator would possess a decryption tool that can be used to decrypt the victim's files, some strains of alleged "ransomware" such as Fake simply destroy your data. Fake, on the other hand, just renames your files in a way that makes them unrecognizable.
Fake has been spotted on malicious websites distributed under the name "SexyPhotos.JPG.exe" among others. The malware drops four executables and a single batch file in the system's temp directory. The batch file makes copies of the executables in the Startup folder to ensure persistence.
One of the three executables is launched and starts the actual file-altering process. Encrypted files are renamed with a name prefix and a ".Locked_file" extension and given sequential numbers.
A ransom note is generated and dropped inside a "Readme.txt" file.
When researchers examined a file before and after encryption, they discovered that only the file name was changed and the file's contents remained unchanged.
The Fake ransomware can still cause major issues because files will be unrecognizable after the renaming process.