Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : fb2dc7eccfa938149161caf3c7c16b58
 
  • Major Detection Name : Gen:Variant.Ransom.Ouroboros.29 (BitDefender), Ransom.Teslarvng (Malwarebytes)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension> → .[de-crypt@foxmail.com].teslarvng
 
  • Malicious File Creation Location :
     - C:\ProgramData\Adobe
     - C:\ProgramData\Adobe\Extension Manager CC
     - C:\ProgramData\Adobe\Extension Manager CC\Logs
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\<Drive Letter>.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\fails.txt
     - C:\ProgramData\Adobe\Extension Manager CC\Logs\lockeds.txt
     - C:\ProgramData\datakeys
     - C:\ProgramData\datakeys\hds
     - C:\ProgramData\datakeys\pos.txt
     - C:\ProgramData\datakeys\tempkey.teslarvngkeys
     - C:\teslarvng
     - C:\teslarvng\tempkey.teslarvngkeys
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How To Recover.txt
     - C:\HELP.txt
 
  • Payment Instruction File : HELP.txt / How To Recover.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Delete the defragsrv services
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, wbadmin.exe delete catalog - quiet, WMIC.exe shadowcopy delete)
     - Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool. ("%Temp%\sdelete.exe" -nobanner -p 1 -z <Drive Letter>:)

List

위로