Ransomware Encrypts Files of Users of File-Sharing Services, Demands 50-Euro Ransom

Scammers Accuse Users of Harboring Illicit Programs, Alter Extensions, And Turn Icons Pink

A new scareware preys on people who download movies, music and other pieces using file-sharing services by encrypting files on the victim’s computer and demanding 50 euros in exchange for a code to restore them, according to Bitdefender research.

The scareware found by Bitdefender and identified as Trojan.Ransom.HM haunts file sharing networks that often also harbor pirated versions of music, movies and other files. After it encrypts certain non-executable files on the victim’s PC, it claims it found illegal programs on the computer and demands the payment to a specific Gmail address.

Once on a new system-host, it encrypts all extensions pertaining to movies, music, photos, shortcuts, PDF, text and html files by adding .EnCiPhErEd to the valid file extension. It also changes the default icons of all the files with modified extensions to a pink common icon.

In each folder it finds on the infected system, the scareware adds a file named “HOW TO DECRYPT FILES.txt” and the following warning message:

Attention! All your files are encrypted!

You are using unlicensed programms!

To restore your files and access them,

send code Ukash or Paysafecard nominal value of  EUR 50 to the e-mail

During the day you receive the answer with the code.

You have 5 attempts to enter the code. If you exceed this date all data is irretrievably spoiled. Be careful when you enter the code!

Theuser is asked to send the proof of a 50 Euro-deposit to a certain Gmail address. In a day’s time, the victim receives a reply with a code that should be entered in the decryption box. Should the user enter the code unsuccessfully, the data will forever be lost.

Serving as a justification for the abusive encryption is the warning given by the scammer that the user is using unlicensed programs. This follows a scam trend of following the scam trend of recent months in which perpetrators impersonated police authorities chasing people downloading and using pirated software.


Confusion over the file icons and extensions is meant to trigger panic and squeeze the 50 euros from the user. Words like unlicensed programs, encryption, and attention are meant to alarm someone into acting before checking. The PC remains fully functional but most users will be too busy scrambling to find personal data to give this any importance.

A function in the scareware appears to allow the victims to decrypt the files once they type in a specific code provided to them by the crook via e-mail.

Bitdefender is in possession of the builder generating this kind of scareware. It is the case of a do-it-yourself kit that can be used by whoever wants to create a customized malicious tool. The kit allows scammers to choose the encryption algorithm, the text to be shown to the victim, the language, and the kind of files to be encrypted or the icon for the compromised files.

What to Do: In order to avoid this kind of problem, pay great attention to the files you choose to download from your favorite peer-to-peer network.

This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender VirusAnalyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.