Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Automatic infection using exploit by visiting website
 
  • MD5 : d551d1f5997b01d3d5ccca10a64f1329
 
  • Major Detection Name : TR/Ransom.akxrk (Avira), a variant of MSIL/Filecoder.PI (ESET)
 
  • Encrypted File Pattern : <Random Filename>.<5-Digit Random Extension>
 
  • Malicious File Creation Location :
     - C:\ProgramData\release.bat
     - C:\ProgramData\sdelete.exe
 
  • Payment Instruction File : Instructions-<Encryption Extension>.html
 
  • Major Characteristics :
     - Offline Encryption
     - Checks OS language (Russian, Ukrainian etc.) and Geo-IP location to determine the execution.
     - Block processes execution (firefoxconfig, mydesktopqos, mydesktopservice, mysqld-opt, sqbcoreservice, sqlbrowser etc.)
     - Disable system restore (bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0, wmic SHADOWCOPY DELETE, vssadmin delete shadows /All)
     - Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool.
     - After secure erase, displays fake error message, then shuts down windows after 5 minutes (shutdown /S /F /T 300 /C "Unexpected shutdown due to maintenance break.")
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\tmp<Random>.tmp<Random>.bmp)

List

위로