This cryptovirus allegedly encrypts user data and then requires ransom payment to return the files.
The file name: client
Developer: Sorin.
Fake Copyright: Microsoft 2017.
Widia cannot encrypt your files, most probably it is still in development mode. No extension is added to so-called “encrypted” files.
Widia ransomware was first spotted in the second half of May 2017. It is aimed at English-speaking users, which does not prevent it from spreading around the world.
The ransom note is presented on the lock screen. It still can be closed with a combination of keys: Alt + F4. In the upper left corner, there is an inscription in Romanian: De la Sorin pt voi. (Translated: “From Sorin to you”).
Ransom note content:
Your documents, photos, databases and other important files have been encrypted with the strongest encryption and unique key, generated for this computer. The private decryption key is stored on a secret Internet private and private keys. The server will remove the key after some time specified in this window.
Distribution
Can be distributed with the help of spam emails and malicious attachments, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers.
Claims to encrypt MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives.
Related files
Client.exe
B60e87widia.exe
<Random> .exe
Oops.rr
Oobelx.dt
B60e87widia.ini
Wd0w.exe
Location
% WINDIR% \ b60e87widia.exe
% WINDIR% \ oops.rr
% WINDIR% \ oobelx.dt
% WINDIR% \ b60e87widia.ini
% WINDIR% \ wd0w.exe
Test results
Degree of prevalence
Low
