Angler Exploit Kit Spreads Threat Finder Ransomware

Brad Duncan is a Security Researcher at Rackspace, where he investigates suspicious network activity. Occasionally, he receives tippers on compromised websites that can infect vulnerable computers. Rackspace researchers investigate these tippers to gather malware samples, identify threat actors, and determine other indicators of malicious activity. This blog entry discusses one such investigation.


As early as January of this year, we started seeing reports of a new ransomware named “Threat Finder” [1]. At least one source speculates Threat Finder is a copy of Cryptolocker [2], but we haven’t found anything definitive on the origin of this ransomware.

We ran across Threat Finder on Tuesday, April 7th, 2015 when infecting a Windows host. The host was infected when casual web browsing led to the Angler exploit kit. After the infection, the host’s personal files were encrypted, and instructions for Threat Finder v2.4 appeared on the desktop screen.

Chain of events

  • Step 1: The user viewed a compromised website that generated behind the scenes traffic for Angler exploit kit.
  • Step 2: The vulnerable Windows host was infected by the Angler exploit kit.
  • Step 3: The exploit kit sent Bedep malware, commonly seen from Angler [3].
  • Step 4: Bedep downloaded more malware, including Threat Finder.
  • Step 5: Threat Finder encrypted the user’s personal files and displayed instructions to recover the data.

Shown above: Threat Finder v2.4 instructions for decrypting your personal files.


Shown above: The same decryption instructions from a web browser.

About the time Threat Finder displayed the decrypt instructions, we saw click fraud traffic from the infected host. Click fraud traffic generates ad revenue through numerous requests for web traffic from the infected host.


Shown above: HTTP traffic for Angler exploit kit, Bedep post-infection, and click fraud traffic.

The infected host had at least one registry entry for a file named reg.dll as shown below:

This is the Threat Finder ransomware. A sample can be found at:

When run through’s analysis, reg.dll generated traffic to, sending approximately 217 KB of data to the infected host. The analysis shows dropped files that are images for Threat Finder’s decrypt instructions.


Shown above: One of the dropped image file from reg.dll

The bitcoin address for the malware’s ransom payment is: 1NadLTgZHFGJmqUuQ58dGsB7ADCbe5N6z1

Check this bitcoin address at, and you’ll find at least 11 transactions with over 7.5 bitcoins received.


Shown above: Transactions at the bitcoin address for the ransom payment

What should you do if your computer becomes infected with Threat Finder? Your personal files may be lost if you don’t have a backup. Even if you pay the ransom, you have no guarantee the malware authors will provide the decryption key.

As always, your best defense is regularly backing up your data. If not, you could find yourself at the mercy of this or other ransomware.







Brad Duncan was a Security Researcher at Rackspace specializing in network traffic analysis and intrusion detection. After more than 21 years doing classified intelligence work for the US Air Force, Brad began a new career in cyber security. In 2013, Brad started a blog at as a way to share technical information with like-minded security professionals.


  1. Is it known yet if the files are actually encrypted? If so what algorithm?

    I got hit with Threat Finder v2.4 the other day. Shadow Explorer did work for C drive although it was not enabled on my E drive. Looking for a way to recover those files.

    Another bitcoin address for the malware’s ransom payment is:

    • The files should be encrypted, but I don’t know the algorithm. I haven’t run across Threat Finder since this article, though I have run across other ransomware variants.

  2. A cmd window would open when virus started…


Please enter your comment!
Please enter your name here