You completely understood. Sorry my poor English . Thank you
Perfect, and don't worry about your English since I understood correctly.
By Lawrence Abram from bleepingcomputer
It depends on how the ransomware was designed to work and how sophisticated it is - for example, it may encrypt the files and then lock the screen to talk about the ransom payments to receive the decryption key back, or it may encrypt the files and then drop another PE to the disk which is responsible for the screen-locking and then delete itself after executing the newly dropped PE (e.g. extract from resources), or it could even drop a DLL and then inject this into another process to cause the screen-lock being presented from within a "trusted" process (or code injection).
On the other hand, some ransomware may want to remove itself due to the encryption algorithm being easily reversible, since not every ransomware sample is made properly by people who know what they are doing - some ransomware will encrypt files and make it impossible (currently) to decrypt the files without the private key (which you have to risk paying the ransom to receive - although you can never trust a malware author/hacker and therefore should not pay the ransom), whereas others will have a weak encryption algorithm and therefore by removing itself it helps prevent the sample being spread over to malware analysts more quickly (since if someone reports the infection for assistance, the sample containing the encryption is no longer on the system).
One way malware may remove itself is on reboot, or inject code into an external process which will terminate the process responsible for the encryption process and then remove it.
However, some ransomware is more advanced and may even inject into external processes for the actual encryption process to take place - an example would be on previous OS versions (Windows 7 for example), where we could easily open a handle to csrss.exe (it wasn't a protected process back then) after elevating our rights to enable Debugging Rights (easily achieved via RtlAdjustPrivilege NTAPI function), and then we could inject into it (e.g. inject the code for the encryption process and then start a new thread remotely to run this encryption code we injected into csrss.exe). This way, if someone opened up Task Manager and saw a suspicious process and terminated it, then they may feel they are once again "safe" (or they may also run some scans afterwards but the encryption process is now taking place from a trusted Windows process and none of these Anti-Malware scanners will detect if a sample has already injected into a process like csrss.exe it seems), but then give it some time and they'll be hit with the noticeable effects of all their files having been encrypted and some files on the desktop for the payment instructions or a screen-lock.
Usually these days the goal is to make money, back in the old days it was more about just PC destruction and being a nuisance IMO.
There are limitless possibilities, the above are just examples, I completely agree with
@LabZero because malware is evolving all the time (and sometimes we go back into the past, like with Petya doing the old MBR modifications and then we also see new threats which will exploit new vulnerabilities and work using new methods we haven't seen before) - malware is evolving as we speak right now...
Stay safe,
Wave.
