Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 7166a1264063469ac81a861325362156
- Major Detection Name : Ransom.FileCryptor (Malwarebytes), Ransom:Win32/Wadhrama.A!hoa (Microsoft)
- Encrypted File Pattern : .id-<Random>.[Telegram_t.me_NuBeContact].<5-Digit Random Extension>
- Malicious File Creation Location :
- <Drive Letter>:\EFSTMPWP
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\<Random>-FILES ENCRYPTED.txt
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<Random>-FILES ENCRYPTED.txt
- Payment Instruction File : <Random>-FILES ENCRYPTED.txt
- Major Characteristics :
- Offline Encryption
- Disable and Blocks Registry Editor (regedit.exe) and Task Manager (taskmgr.exe)
- Block processes execution (agntsvc.exe, ccleaner.exe, dbeng50.exe, msmdsrv.exe, SCSECSVC.EXE, sqlserver.exe etc.)
- Stop multi services (FirebirdGuardianDefaultInstance, FirebirdServerDefaultInstance, mssqlserver, sqlserveradhelper, sqlwriter)
- Disable system restore (vssadmin delete shadows /all /quiet)
- Interrupt file recovery using cipher.exe /w:<Drive Letter>