Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 09d3bd874d9a303771c89385d938c430
- Major Detection Name : Generic.Ransom.KrakenB.923510A9 (BitDefender), Ransom:MSIL/Kraken.B (Microsoft)
- Encrypted File Pattern : <Random Filename>.<5-Digit Random Extension>
- Malicious File Creation Location :
- C:\ProgramData\release.bat
- C:\ProgramData\sdelete.exe
- Payment Instruction File : # How to Decrypt Files-<Encryption Extension>.html
- Major Characteristics :
- Offline Encryption
- Checks OS language (Russian, Ukrainian etc.) and Geo-IP location to determine the execution.
- Block processes execution (firefoxconfig, mydesktopqos, mydesktopservice, mysqld-opt, sqbcoreservice, sqlbrowser etc.)
- Disable system restore (bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0, wmic SHADOWCOPY DELETE, vssadmin delete shadows /All)
- Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool.
- After secure erase, displays fake error message, then shuts down windows after 5 minutes (shutdown /S /F /T 300 /C "Unexpected shutdown due to maintenance break.")