Send us feedback
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/Ergop.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This ransomware can stop you from using your PC or accessing your data.
It encrypts files and uses .707, .725, .726, .astra, .crypt, .ocean, or .txt as file name extension for encrypted files. It leaves a ransom note with the file name how_open_files.hta, RECOVER-FILES.html, or !back_files!.html.
Our ransomware FAQ page has more information on this type of threat.
The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.
Read our latest report: A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017.
Use the following free Microsoft software to detect and remove this threat:
- Windows Defender for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista
- Microsoft Safety Scanner
You should also run a full scan. A full scan might find hidden malware.
Use cloud protection
Use cloud protection to help guard against the latest malware threats. It’s turned on by default for Microsoft Security Essentials and Windows Defender for Windows 10.
To check if it's running, go to All settings > Update & security > Windows Defender and make sure that your Cloud-based Protection settings is turned On.
Get more help
You can also see our advanced troubleshooting page for more help or search the Microsoft virus and malware community for more help.
If you’re using Windows XP, see our Windows XP end of support page.
Threat behavior
Installation
This threat drops a copy of itself in any of the following folders:
- %TEMP%
- %APPDATA% /Roaming\Microsoft\SystemCertificates\My\Certificates\
- %USERPROFILE% \Public
It can use any of the following file names:
- 2502.tmp.exe
- 95FC.tmp.exe
- 401B.tmp.exe
It may create the following autostart registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: CertificatesCheck
With data: <malware drop location>
Payload
Encrypts files
This threat searches for and encrypts files with the following filename extensions:
.1cd |
.3d |
.3d4 |
.3df8 |
.3dm |
.3ds |
.3fr |
.3g2 |
.3ga |
.3gp |
.3gp2 |
.3mm |
.3pr |
.7z |
.7zip |
.8ba |
.8bc |
.8be |
.8bf |
.8bi8 |
.8bl |
.8bs |
.8bx |
.8by |
.8li |
.900 |
.a2c |
.aa |
.aa3 |
.aac |
.aaf |
.ab4 |
.abk |
.abw |
.ac2 |
.ac3 |
.accdb |
.accde |
.accdr |
.accdt |
.ace |
.ach |
.acr |
.act |
.adb |
.ade |
.adi |
.adp |
.adpb |
.adr |
.ads |
.adt |
.aep |
.aepx |
.aes |
.aet |
.afp |
.agd1 |
.agdl |
.ai |
.aif |
.aiff |
.aim |
.aip |
.ais |
.ait |
.ak |
.al |
.allet |
.amf |
.amr |
.amu |
.amx |
.amxx |
.ans |
.aoi |
.ap |
.ape |
.api |
.apj |
.apk |
.apnx |
.application |
.arc |
.arch00 |
.ari |
.arj |
.aro |
.arr |
.arw |
.as |
.as3 |
.asa |
.asc |
.ascx |
.ase |
.asf |
.ashx |
.asm |
.asmx |
.asp |
.aspx |
.asr |
.asset |
.asx |
.au3 |
.avi |
.automaticdestinations-ms |
.avs |
.awg |
.azf |
.azs |
.azw |
.azw1 |
.azw3 |
.azw4 |
.b2a |
.back |
.backup |
.backupdb |
.bad |
.bak |
.bank |
.bar |
.bat |
.bay |
.bc6 |
.bc7 |
.bck |
.bcp |
.bdb |
.bdp |
.bdr |
.bfa |
.bgt |
.bi8 |
.bib |
.bic |
.big |
.bik |
.bin |
.bitmap |
.BK5 |
.bkf |
.bkp |
.bkup |
.blend |
.blob |
.blp |
.bmc |
.bmf |
.bml |
.bmp |
.boc |
.bp2 |
.bp3 |
.bpk |
.bpl |
.bpw |
.brd |
.bsa |
.bsk |
.bsp |
.btoa |
.bvd |
.c |
.CAB |
.caf |
.cag |
.cam |
.camproj |
.cap |
.car |
.cas |
.cat |
.cbf |
.cbr |
.cbz |
.cc |
.ccd |
.ccf |
.cch |
.cd |
.cdf |
.cdi |
.cdr |
.cdr3 |
.cdr4 |
.cdr5 |
.cdr6 |
.cdrw |
.cdx |
.ce1 |
.ce2 |
.cef |
.cer |
.cert |
.cfg |
.cfp |
.cfr |
.cgf |
.cgi |
.cgm |
.cgp |
.chk |
.chm |
.chml |
.cib |
.class |
.clr |
.cls |
.clx |
.cmd |
.cmf |
.cms |
.cmt |
.cnf |
.cng |
.cnt |
.cod |
.col |
.com |
.con |
.conf |
.config |
.contact |
.cp |
.cpi |
.cpio |
.cpp |
.cr2 |
.craw |
.crd |
.crt |
.crw |
.crwl |
.crypted |
.cryptra |
.cs |
.csh |
.csi |
.csl |
.cso |
.csr |
.css |
.csv |
.ctt |
.cty |
.cue |
.cur |
.cwf |
.d3dbsp |
.dac |
.dal |
.dap |
.das |
.dash |
.dat |
.database |
.dayzprofile |
.dazip |
.db |
.db_journal |
.db0 |
.db3 |
.dba |
.dbb |
.dbf |
.dbfv |
.db-journal |
.dbx |
.dc2 |
.dc4 |
.dch |
.dco |
.dcp |
.dcr |
.dcs |
.dcu |
.ddc |
.ddcx |
.ddd |
.ddoc |
.ddrw |
.dds |
.default |
.dem |
.deploy |
.depot |
.der |
.des |
.desc |
.design |
.desklink |
.dev |
.dex |
.dfm |
.dgc |
.dic |
.dif |
.dii |
.dim |
.dime |
.dip |
.dir |
.directory |
.disc |
.disk |
.dit |
.divx |
.diz |
.djv |
.djvu |
.dlc |
.dll |
.dmg |
.dmp |
.dng |
.dob |
.doc |
.docb |
.docm |
.docx |
.dot |
.dotm |
.dotx |
.dox |
.dpk |
.dpl |
.dpr |
.drf |
.drw |
.dsk |
.dsp |
.dtd |
.dvd |
.dvi |
.dvx |
.dwg |
.dwt |
.dxb |
.dxe |
.dxf |
.dxg |
.e4a |
.edb |
.efi |
.efl |
.efr |
.efu |
.efx |
.eip |
.elf |
.emc |
.emf |
.eml |
.enc |
.enx |
.epk |
.eps |
.epub |
.eql |
.erbsql |
.erf |
.err |
.esf |
.esm |
.euc |
.evo |
.ex |
.exe |
.exf |
.exif |
.f90 |
.faq |
.fb2 |
.fbk |
.fcd |
.fcf |
.fdb |
.fdbx |
.fdf |
.fdr |
.fds |
.ff |
.ffd |
.fff |
.fh |
.fhd |
.fic |
.file |
.fla |
.flac |
.flf |
.flp |
.flv |
.flvv |
.fmx |
.for |
.forge |
.fos |
.fpenc |
.fpk |
.fpp |
.fpx |
.frf |
.frm |
.fsh |
.fss |
.ftx |
.fxg |
.fxp |
.gam |
.gdb |
.gfe |
.gfx |
.gho |
.gif |
.gpg |
.gray |
.grey |
.grf |
.groups |
.gry |
.gthr |
.gxk |
.gz |
.gzig |
.gzip |
.h |
.h3m |
.h4r |
.hbk |
.hbx |
.hdd |
.hdr |
.hex |
.hkdb |
.hkx |
.hplg |
.hpp |
.hpt |
.hqx |
.hta |
.htm |
.html |
.htpasswd |
.hvpl |
.hwp |
.ibank |
.ibd |
.ibz |
.ico |
.icxs |
.idl |
.idml |
.idx |
.ie5 |
.ie6 |
.ie7 |
.ie8 |
.ie9 |
.iff |
.ifo |
.iif |
.iiq |
.img |
.incpas |
.indb |
.indd |
.indl |
.indt |
.ini |
.ink |
.ins |
.inx |
.iobj |
.ipa |
.ipdb |
.iso |
.isu |
.isz |
.itdb |
.itl |
.itm |
.iwd |
.iwi |
.jac |
.jar |
.jav |
.java |
.jbc |
.jc |
.jfif |
.jge |
.jgz |
.jif |
.jiff |
.jnt |
.jpc |
.jpe |
.jpeg |
.jpf |
.jpg |
.jpw |
.js |
.json |
.jsp |
.just |
.k25 |
.kc2 |
.kdb |
.kdbx |
.kdc |
.kde |
.key |
.kf |
.klq |
.kmz |
.kpdx |
.kwd |
.kwm |
.laccdb |
.lastlogin |
.lay |
.lay6 |
.layout |
.lbf |
.lbi |
.lcd |
.lcf |
.lck |
.lcn |
.ldb |
.ldf |
.lgp |
.lib |
.lid |
.lit |
.litemod |
.lngttarch2 |
.lnk |
.localstorage |
.log |
.lp2 |
.lpa |
.lrf |
.lst |
.ltm |
.ltr |
.ltx |
.lua |
.lvivt |
.lvl |
.m |
.m2 |
.m2ts |
.m2v |
.m3u |
.m3u8 |
.m4a |
.m4p |
.m4u |
.m4v |
.mag |
.man |
.manifest |
.map |
.mapimail |
.max |
.mbox |
.mbx |
.mcd |
.mcgame |
.mcmeta |
.mcrp |
.md |
.md0 |
.md1 |
.md2 |
.md3 |
.md5 |
.mdb |
.mdbackup |
.mdc |
.mddata |
.mdf |
.mdl |
.mdn |
.mds |
.mef |
.menu |
.meo |
.mfw |
.mic |
.mid |
.mim |
.mime |
.mip |
.mjd |
.mkv |
.mlb |
.mlx |
.mm6 |
.mm7 |
.mm8 |
.mme |
.mml |
.mmo |
.mmw |
.mmx |
.mny |
.mobi |
.mod |
.moneywell |
.mos |
.mov |
.movie |
.moz |
.mp1 |
.mp2 |
.mp3 |
.mp4 |
.mp4v |
.mpa |
.mpe |
.mpeg |
.mpg |
.mpq |
.mpqge |
.mpv2 |
.mrw |
.mrwref |
.mse |
.msg |
.msi |
.msp |
.mts |
.mui |
.mxd |
.mxp |
.myd |
.myi |
.nav |
.ncd |
.ncf |
.nd |
.ndd |
.ndf |
.nds |
.ndx |
.nef |
.nfl |
.nfo |
.nk2 |
.nop |
.now |
.npk |
.nrg |
.nri |
.nrw |
.ns2 |
.ns3 |
.ns4 |
.nsd |
.nsf |
.nsg |
.nsh |
.ntl |
.number |
.nup |
.nvram |
.nwb |
.nx1 |
.nx2 |
.nxl |
.nyf |
.oab |
.obj |
.ocx |
.odb |
.odc |
.odf |
.odg |
.odi |
.odm |
.odp |
.ods |
.odt |
.oft |
.oga |
.ogg |
.oil |
.ok |
.old |
.opd |
.opf |
.orf |
.ost |
.otg |
.oth |
.otp |
.ots |
.ott |
.owl |
.oxt |
.p12 |
.p7b |
.p7c |
.pab |
.pack |
.pages |
.pak |
.paq |
.pas |
.pat |
.pbd |
.pbf |
.pbk |
.pbp |
.pbs |
.pcd |
.pct |
.pcv |
.pdb |
.pdc |
.pdd |
|
.pef |
.pem |
.pfx |
.php |
.pif |
.pkb |
.pkey |
.pkh |
.pkpass |
.pl |
.plb |
.plc |
.pli |
.plus_muhd |
.pm |
.pmd |
.png |
.po |
.pot |
.potm |
.potx |
.ppam |
.ppd |
.ppf |
.ppj |
.pps |
.ppsm |
.ppsx |
.ppt |
.pptm |
.pptx |
.prc |
.pre |
.prel |
.prf |
.props |
.prproj |
.prt |
.ps |
.psa |
.psafe3 |
.psd |
.psk |
.pspimage |
.pst |
.psw6 |
.ptx |
.pub |
.puz |
.pwf |
.pwi |
.pwm |
.pxp |
.py |
.qba |
.qbb |
.qbm |
.qbr |
.qbw |
.qbx |
.qby |
.qcow |
.qcow2 |
.qdf |
.qed |
.qel |
.qic |
.qif |
.qm |
.qpx |
.qry |
.qt |
.qtq |
.qtr |
.r00 |
.r01 |
.r02 |
.r03 |
.r3d |
.ra |
.ra2 |
.raf |
.ram |
.rar |
.rat |
.raw |
.rb |
.rdb |
.rdi |
.rdl |
.re4 |
.rep |
.res |
.result |
.rev |
.rgn |
.rgss3a |
.rim |
.rll |
.rm |
.rng |
.rofl |
.rp |
.rpf |
.rrt |
.rsdf |
.rsrc |
.rsw |
.rte |
.rtf |
.rts |
.rtx |
.rum |
.run |
.rv |
.rvt |
.rw2 |
.rwl |
.rwz |
.rzk |
.rzx |
.s3db |
.sad |
.saf |
.safe |
.sas7bdat |
.sav |
.save |
.say |
.sb |
.sc2save |
.sch |
.scm |
.scn |
.scx |
.sd0 |
.sd1 |
.sda |
.sdb |
.sdc |
.sdf |
.sdi |
.sdn |
.sdo |
.sds |
.sdt |
.search-ms |
.sef |
.sen |
.ses |
.session |
.sfs |
.sfx |
.sgcml |
.sgz |
.sh |
.shar |
.shr |
.shw |
.shy |
.sid |
.sidd |
.sidn |
.sie |
.sis |
.sldm |
.sldx |
.slk |
.slm |
.slt |
.sme |
.snk |
.snp |
.snx |
.so |
.spd |
.spi |
.spk |
.spr |
.sql |
.sqlite |
.sqlite3 |
.sqlitedb |
.sqllite |
.sqx |
.sr2 |
.srf |
.srt |
.srw |
.ssa |
.st4 |
.st5 |
.st6 |
.st7 |
.st8 |
.stc |
.std |
.sti |
.stm |
.stt |
.stw |
.stx |
.sud |
.suf |
.sum |
.sv2i |
.svc |
.svg |
.svi |
.svr |
.swd |
.swf |
.switch |
.sxc |
.sxd |
.sxg |
.sxi |
.sxm |
.sxw |
.syncdb |
.t01 |
.t03 |
.t05 |
.t12 |
.t13 |
.tar |
.tar.gz |
.tax |
.tax2013 |
.tax2014 |
.tbk |
.tbz2 |
.tch |
.tcx |
.tex |
.text |
.tg |
.tga |
.tgz |
.thm |
.thmx |
.tib |
.tif |
.tiff |
.tlb |
.tlg |
.tlz |
.toast |
.tor |
.torrent |
.tpu |
.tpx |
.trn |
.trp |
.ts |
.TSF |
.ttf |
.tu |
.tur |
.txd |
.txf |
.txn |
.txt |
.uax |
.udf |
.uea |
.umx |
.unity3d |
.unr |
.unx |
.uop |
.uot |
.upk |
.upoi |
.url |
.usa |
.usx |
.ut2 |
.ut3 |
.utc |
.utx |
.uu |
.uud |
.uue |
.uvx |
.uxx |
.v2i |
.val |
.vault |
.vbox |
.vbs |
.vc |
.vcd |
.vcf |
.vdf |
.vdi |
.vdo |
.ver |
.vfs0 |
.vhd |
.vhdx |
.vlc |
.vlt |
.vmdk |
.vmf |
.vmsd |
.vmt |
.vmx |
.vmxf |
.vob |
.vp |
.vpk |
.vpp_pc |
.vsi |
.vssettings |
.vtf |
.w3g |
.w3x |
.wab |
.wad |
.wallet |
.war |
.wav |
.wave |
.waw |
.wb2 |
.wbk |
.wdgt |
.wer |
.wks |
.wm |
.wma |
.wmd |
.wmdb |
.wmmp |
.wmo |
.wmv |
.wmx |
.wotreplay |
.wow |
.wpd |
.wpe |
.wpk |
.wpl |
.wps |
.wsh |
.wtd |
.wtf |
.wvx |
.x11 |
.x3f |
.xf |
.xis |
.xl |
.xla |
.xlam |
.xlc |
.xlk |
.xll |
.xlm |
.xlr |
.xls |
.xlsb |
.xlsm |
.xlsx |
.xlt |
.xltm |
.xltx |
.xlv |
.xlw |
.xlwx |
.xml |
.xpi |
.xps |
.xpt |
.xqx |
.xsl |
.xtbl |
.xvid |
.xwd |
.xxe |
.xxx |
.yab |
.ycbcra |
.yenc |
.yml |
.ync |
.yps |
.yuv |
.z02 |
.z04 |
.zap |
.zip |
.zipx |
.zoo |
.zps |
.ztmp |
001 |
|
|
It appends any of the following file name extensions to encrypted files:
- .707
- .725
- .726
- .astra
- .crypt
- .ocean
- .txt
For example:
- file.doc is renamed to file.doc.crypt
- file.pdf is renamed to file.pdf.crypt
- file.png is renamed to file.png.707
- file.bin is renamed to file.bin.707
It doesn't encrypt files in the following folders:
- Avast
- AVG
- Avira
- Chrome
- Common Files
- COMODO
- Dr.Web
- ESET
- Internet Explorer
- Kaspersky Lab
- McAfee
- Microsoft
- Microsoft Help
- Microsoft Shared
- Microsoft.NET
- Movie Maker
- Mozilla Firefox
- ntldr
- NVIDIA Corporation
- Opera
- Outlook Express
- ProgramData
- spytech software
- Symantec
- Symantec_Client_Security
- sysconfig
- system volume information
- Temp
- windows
- Windows App Certification Kit
- Windows Defender
- Windows Kits
- Windows Mail
- Windows Media Player
- Windows Multimedia Platform
- Windows NT
- Windows Phone Kits
- Windows Phone Silverlight Kits
- Windows Photo Viewer
- Windows Portable Devices
- Windows Sidebar
- WindowsPowerShell
- wsus
- Wsus
- YandexBrowser
The threat also will not encrypt files with the name rsa_prive_testing.txt.
It drops any of the following files in every folder where it encrypts to serve as a ransom note:
- how_open_files.hta
- RECOVER-FILES.html
- !back_files!.html
Ends processes
The threat also ends or terminates any process that contains any of the following strings:
- 1c
- excel
- outlook
- postgre
- ssms
- sql
- word
This threat can also delete backup copies and can target terminal servers.
Analysis by Carmen Liang
Prevention
The following can indicate that you have this threat on your PC:
- One of the following file name extensions is appended to your files
- .707
- .725
- .726
- .astra
- .crypt
- .ocean
- .txt
- You have the following files:
- 2502.tmp.exe
- 95FC.tmp.exe
- 401B.tmp.exe
- how_open_files.hta
- RECOVER-FILES.html
- !back_files!.html