Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : e41ee0a8ce9df50ba9bd31e12e149dbe
- Major Detection Name : Ransom:Win32/Sherminator.YL (Microsoft), Ransom_Sherminator.R002C0DHI20 (Trend Micro)
- Encrypted File Pattern : .[ID]<Random>[ID]
- Malicious File Creation Location :
- C:\Windows\delog.bat
- C:\Windows\svhost.exe
- C:\Decoder.hta
- Payment Instruction File : Decoder.hta
- Major Characteristics :
- Offline Encryption
- DXXD / LockCrypt Ransomware series
- Encryption starts after killing all process except listed in whitelist processes.
- Deletes event log (wevtutil.exe cl "Analytic", wevtutil.exe cl "Application", wevtutil.exe cl "Security", wevtutil.exe cl "Setup", wevtutil.exe cl "System" etc.)
- Displays ransom note (C:\Windows\SysWow64\mshta.exe "c:\Decoder.hta") when user executes encrypted file (.[ID]<Random>[ID])