Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 9672ec48c67d4ca3ca7e09ded0a81b83
- Major Detection Name : Win32:RansomX-gen [Ransom] (Avast), Ransom:MSIL/Kraken (Microsoft)
- Encrypted File Pattern : <Random Filename>.<5-Digit Random Extension>
- Malicious File Creation Location :
- C:\ProgramData\release.bat
- C:\ProgramData\sdelete.exe
- C:\Users\%UserName%\AppData\Local\Temp\voice-<Encryption Extension>.vbs
- Payment Instruction File : Instructions-<Encryption Extension>.html
- Major Characteristics :
- Checks OS language (Russian, Ukrainian etc.) and Geo-IP location to determine the execution.
- Block processes execution (firefoxconfig, mydesktopqos, mydesktopservice, mysqld-opt, sqbcoreservice, sqlbrowser etc.)
- Modifies registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security" to disable notification of Microsoft Security.
- Disables System Recovery Creation point (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR)
- Enables Windows AutoLogin (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon)
- Disables Event Log (sc config eventlog start=disabled, sc stop eventlog) and erases (clear-log Application, clear-log Security, clear-log System)
- Disable system restore (bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0, wmic SHADOWCOPY DELETE, vssadmin delete shadows /All)
- Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool.
- After secure erase, displays fake error message, then shuts down windows after 5 minutes (shutdown /S /F /T 300 /C "Unexpected shutdown due to maintenance break.")
- Encryption guide using Text-to-Speech (TTS) function
- Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\wallpaper.bmp)