New Android ransomware [Android/Filecoder.C]

ESET security researchers have provided details about a new ransomware family they identified impacting the Android operating system. It has been observed being distributed through online forums and is believed to have been active since July 12th.

At this time, the size and scope of this campaign is limited, targeting only a select group of individuals It was noted by the researchers that if the adversaries choose to broaden the groups who they target and correct execution flaws, this particular ransomware could be most problematic. T

he adversaries set up two domains for this campaign that contain malicious Android downloads. They have been observed for the most part on Reddit or XDA Developers. The topics have been mostly explicit content or technically related. Once a device has been infected, it uses the victim’s contact list to distribute SMS text messages with malicious links in an effort to further the amount of victims it can infect. As is customary with most ransomware, it will lock the victim’s device and demand that a ransom is paid to unlock those files.

Once the files are encrypted, the file extension “.seven” is appended to the original filename.

Encrypted files with the extension .seven

Further details here.

Indicators of Compromise (IoCs)






Bitcoin address






Contact e-mail address

[email protected][.]ru

Affected Android versions

Android 5.1 and above

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: