In-Dev Ransomware forces you do to Survey before unlocking Computer
By Lawrence Abrams
Published: 2016-10-27 · Archived: 2026-04-05 15:01:20 UTC
As if surveys aren't already annoying, a new ransomware utilizes the FileIce survey platform to force you to do surveys
before unlocking your computer. First discovered by GData security researcher Karsten Hahn, this ransomware is currently
in development and is most likely not being actively distributed at this time.
Select Your Survey Screen
When the malware is started it will display a Select Your Survey form as shown above that contains numerous surveys you
can select in order to unlock the computer.  The ransomware retrieves these surveys from the URL
www.fileice.net/download.php?t=regular&file=3lhzu as shown in the source code below.
Source showing the form retrieving the Surveys
When a user completes a survey, it will download a file called ThxForYurTyme.txt, which displays the message "Thank you
for supporting me.".
Thank You File
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
Page 1 of 5

My guess is that this file will eventually contain a code that will be used to unlock and remove the lock screen.
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
Page 2 of 5

0:00
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
Page 3 of 5

Visit Advertiser websiteGO TO PAGE
Not all features are functional
Since this ransomware is currently in development mode, it contains source code to perform a variety of functions that do
not work as of yet. For example, though it does create an autostart so the programs starts when you login, it also contains
numerous other features that do not work right. For example, it contains code to disable Ctrl+Alt+Del and code to set a
variety of Windows policies to make it more difficult to remove, but they failed to be created on my test. 
The policies that it attempts to enable are:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableLockWorkstation" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableChangePassword" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoClose" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoLogoff" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "HideFastUserSwitching" = 1
What makes it truly show that it is still in development is the Unlock Your PC screen. This screen contains numerous
debugging options that can be used to test the ransomware.
Unlock Your PC Screen
For example, the startup button will enable the autostart entry for the ransomware, the Close button will terminate the
process, the Clear Ctrl Alt checkbox will enable or disable the policies, and the Disable keys button will attempt to hook
the keyboard so that the keys do not work.
Like many other ransomware infections that are discovered, there is a good chance that this ransomware will never make it
into distribution. If it does, though, it will be easily defeated.
Files associated with the Survey Ransomware:
C:\Users\User\Downloads\ThxForYurTyme.txt
C:\seo\Sdchost.exe
Registry entries associated with the Survey Ransomware
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Sdchost C:\seo\Sdchost.exe
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
Page 4 of 5

Network traffic associated with the Survey Ransomware
http://www.fileice.net/download.php?t=regular&file=3lhzu
Hashes:
SHA256: 60fba97585c3a48720bffdb1e11fb5be537e6b6344220015bc9740d084f58c0b
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
Source: https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
Page 5 of 5

https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/     
My guess is that this file will eventually contain a code that will be used to unlock and remove the lock screen.
   Page 2 of 5