Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 6184d75ab9ac2df542261f166460400b
- Major Detection Name : Gen:Win32.AV-Killer.auWbaWpI8Bn (BitDefender), Ransom.Win32.LOCKCRYPT.EKNAI (Trend Micro)
- Encrypted File Pattern : .<Original Extension> id-<Random>.LyaS
- Malicious File Creation Location :
- C:\Windows\clerlog.bat
- C:\Windows\searchfiles.exe
- C:\How To Restore Files.hta
- Payment Instruction File : How To Restore Files.hta
- Major Characteristics :
- Offline Encryption
- DXXD / MrDec Ransomware series
- Encryption starts after killing all process except listed in whitelist processes
- Turns off User Access Control (UAC)
- Disable system restore (vssadmin delete shadows /all)
- Deletes event log (wevtutil.exe cl "Analytic", wevtutil.exe cl "Application", wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational", wevtutil.exe cl "Security", wevtutil.exe cl "System", wevtutil.exe cl "Windows PowerShell" etc.)
- Displays ransom note (C:\Windows\SysWow64\mshta.exe "c:\How To Restore Files.hta") when user executes encrypted file (.<Original Extension> id-<Random>.LyaS)