Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Installation via CobaltStrike malware
- MD5 : 572fea5f025df78f2d316216fbeee52e
- Major Detection Name : Win32/Filecoder.WastedLocker.A (ESET), Ransom.BinADS (Malwarebytes)
- Encrypted File Pattern : .<2~3-Digit Random>wasted
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\<Random>\system32
- C:\Users\%UserName%\AppData\Local\Temp\<Random>\system32\winmm.dll
- C:\Users\%UserName%\AppData\Local\Temp\<Random>\system32\winsat.exe
- C:\Users\%UserName%\AppData\Local\Temp\<Random>.dmp
- C:\Users\%UserName%\AppData\Local\Temp\<2-Digit Random>.dmp
- C:\Users\%UserName%\AppData\Roaming\<2-Digit Random Filename>
- C:\Users\%UserName%\AppData\Roaming\<2-Digit Random>:bin
- C:\Users\%UserName%\AppData\Roaming\<Random Filename>
- C:\Users\%UserName%\AppData\Roaming\<Random>:bin
- C:\Windows\SysWOW64\<Random>.exe
- C:\Windows\Temp\<Random>.dmp
- C:\Windows\Temp\lck.log
- Payment Instruction File : <Original Filename>.<Original Extension>.<2~3-Digit Random>wasted_info
- Major Characteristics :
- Offline Encryption
- Use a YZCKUEONYQSURZWORG Digital Signatures
- Create an ADS (Alternate Data Stream) file and encrypt the files.
- Register ransomware malicious file as a service (C:\Windows\SysWOW64\<Random>.exe -s)
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet)