Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 654edc30141e4be75e7abea7021cb314
 
  • Major Detection Name : Trojan/Win32.DIVOCRansom.C4104864 (AhnLab V3), Ransom.Locker (Malwarebytes)
 
  • Encrypted File Pattern : .corona-lock
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>.tmp.exe
     - C:\Users\%UserName%\AppData\Roaming\KEY.FILE
     - C:\Users\%UserName%\Desktop\README_LOCK.TXT
 
  • Payment Instruction File : README_LOCK.TXT
 
  • Major Characteristics :
     - Offline Encryption
     - Block processes execution (MsDtsSrvr.exe, QBDBMgr.exe, sqlbrowser.exe, sqlmangr.exe, sqlservr.exe, winword.exe etc.)
     - Stop multi services (msmdsrv, MSSQLServerADHelper100, MSSQLServerOLAPService, RTVscan, sqlservr, SQLWriter etc.)
     - Delete backup files (*.bac, *.bak, *.bkf, *.dsk, *.set, *.VHD, *.wbcat, *.win, Backup*.*, backup*.*)
     - Disable system restore (vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded, vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP, wmic.exe SHADOWCOPY /nointeractive)

List

위로