{
	"id": "c7994d69-49f7-4430-a45e-69df281c0d89",
	"created_at": "2026-04-06T00:20:51.333343Z",
	"updated_at": "2026-04-10T13:12:01.901428Z",
	"deleted_at": null,
	"sha1_hash": "d141af2377c7671c49ee29b0f31589619215150f",
	"title": "In-Dev Ransomware forces you do to Survey before unlocking Computer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 855178,
	"plain_text": "In-Dev Ransomware forces you do to Survey before unlocking Computer\r\nBy Lawrence Abrams\r\nPublished: 2016-10-27 · Archived: 2026-04-05 15:01:20 UTC\r\nAs if surveys aren't already annoying, a new ransomware utilizes the FileIce survey platform to force you to do surveys\r\nbefore unlocking your computer. First discovered by GData security researcher Karsten Hahn, this ransomware is currently\r\nin development and is most likely not being actively distributed at this time.\r\nSelect Your Survey Screen\r\nWhen the malware is started it will display a Select Your Survey form as shown above that contains numerous surveys you\r\ncan select in order to unlock the computer.  The ransomware retrieves these surveys from the URL\r\nwww.fileice.net/download.php?t=regular\u0026file=3lhzu as shown in the source code below.\r\nSource showing the form retrieving the Surveys\r\nWhen a user completes a survey, it will download a file called ThxForYurTyme.txt, which displays the message \"Thank you\r\nfor supporting me.\".\r\nThank You File\r\nhttps://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/\r\nPage 1 of 5\n\nMy guess is that this file will eventually contain a code that will be used to unlock and remove the lock screen.\r\nhttps://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/\r\nPage 2 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/\r\nPage 3 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nNot all features are functional\r\nSince this ransomware is currently in development mode, it contains source code to perform a variety of functions that do\r\nnot work as of yet. For example, though it does create an autostart so the programs starts when you login, it also contains\r\nnumerous other features that do not work right. For example, it contains code to disable Ctrl+Alt+Del and code to set a\r\nvariety of Windows policies to make it more difficult to remove, but they failed to be created on my test. \r\nThe policies that it attempts to enable are:\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \"DisableTaskMgr\" = 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \"DisableLockWorkstation\" = 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \"DisableChangePassword\" = 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer \"NoClose\" = 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer \"NoLogoff\" = 1\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \"HideFastUserSwitching\" = 1\r\nWhat makes it truly show that it is still in development is the Unlock Your PC screen. This screen contains numerous\r\ndebugging options that can be used to test the ransomware.\r\nUnlock Your PC Screen\r\nFor example, the startup button will enable the autostart entry for the ransomware, the Close button will terminate the\r\nprocess, the Clear Ctrl Alt checkbox will enable or disable the policies, and the Disable keys button will attempt to hook\r\nthe keyboard so that the keys do not work.\r\nLike many other ransomware infections that are discovered, there is a good chance that this ransomware will never make it\r\ninto distribution. If it does, though, it will be easily defeated.\r\nFiles associated with the Survey Ransomware:\r\nC:\\Users\\User\\Downloads\\ThxForYurTyme.txt\r\nC:\\seo\\Sdchost.exe\r\nRegistry entries associated with the Survey Ransomware\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Sdchost C:\\seo\\Sdchost.exe\r\nhttps://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/\r\nPage 4 of 5\n\nNetwork traffic associated with the Survey Ransomware\r\nhttp://www.fileice.net/download.php?t=regular\u0026file=3lhzu\r\nHashes:\r\nSHA256: 60fba97585c3a48720bffdb1e11fb5be537e6b6344220015bc9740d084f58c0b\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/\r\nhttps://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/\r\nPage 5 of 5\n\nhttps://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/     \nMy guess is that this file will eventually contain a code that will be used to unlock and remove the lock screen.\n   Page 2 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/"
	],
	"report_names": [
		"in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434851,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d141af2377c7671c49ee29b0f31589619215150f.pdf",
		"text": "https://archive.orkl.eu/d141af2377c7671c49ee29b0f31589619215150f.txt",
		"img": "https://archive.orkl.eu/d141af2377c7671c49ee29b0f31589619215150f.jpg"
	}
}