Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : c92c3b192fd72762cd54d92ccb65f183
 
  • Major Detection Name : Ransom:Win32/Saturn!MTB (Microsoft), Ransom_Saturn.R002C0DH420 (Trend Micro)
 
  • Encrypted File Pattern : .<4-Digit Random Extension> → .<Original Extension> → .saturn
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<Random>.lnk
     - C:\Users\%UserName%\Desktop\#DECRYPT_MY_FILES#.html
     - C:\Users\%UserName%\Desktop\#DECRYPT_MY_FILES#.txt
     - C:\Users\%UserName%\Desktop\#DECRYPT_MY_FILES#.vbs
 
  • Payment Instruction File : #DECRYPT_MY_FILES#.html / #DECRYPT_MY_FILES#.txt / #DECRYPT_MY_FILES#.vbs
 
  • Major Characteristics :
     - Offline Encryption
     - Disable system restore (vssadmin.exe delete shadows /all /quiet, wmic.exe shadowcopy delete, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wbadmin delete catalog -quiet)
     - Encryption guide using Text-to-Speech (TTS) function (#DECRYPT_MY_FILES#.vbs)
     - Changes desktop background (C:\Users\%UserName%\Desktop\#DECRYPT_MY_FILES.BMP)

List

위로