Ransom Trojan

Ransom is a trojan which once installed locks the system from user and demands payment to unlock it. 

Here I have analysed a ransom file xxx_video.exe using OllyDbg,

This ransom creates a mutex with name "BFFF5675-ADC0-4740-81FF-7540597A0DC5" to show its presence in the infected system.

Enumerates the running process and checks for explorer.exe. If found it kills explorer.exe in the infected system so that user cannot access the windows shell or any files.

Creates a copy of the file in the location All Users\Application Data

Modifies the winlogon shell registry key so that on booting the system this Trojan will be loaded at first, 

Checks whether taskmgr.exe is running in memory and if not found it creates a copy of xxx_video.exe in system32 and dllcache location with name taskmgr.exe probably replacing the existing taskmgr.

Likewise it modifies the userinit.exe file in the system32 and dllcache location,

Below you can see the Ransom Trojan installed. It locks up the screen asking you to enter the unlock code (which you will receive once you send an SMS to an premium mobile number)

Recovery: Manual recovery is not so easy for this kind of Trojan since it kills user shell and also it modifies task manager. So, possibility of loading explorer back is minimal. Restarting the system will load the Trojan ony since it has modified the default explorer.exe in the winlogon shell registry key. Have an updated AV in your system and stay protected.