Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 1195d0d18be9362fb8dd9e1738404c9d
- Major Detection Name : Trojan/Win32.RagnarLocker.R355925 (AhnLab V3), Ransom-RAGNAR!1195D0D18BE9 (McAfee)
- Encrypted File Pattern : .__r4gN4r__<8-Digit Random>
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\!!!_READ_ME_<8-Digit Random>_!!!.txt
- C:\Users\Public\Documents\!!!_READ_ME_<8-Digit Random>_!!!.txt
- Payment Instruction File : !!!_READ_ME_<8-Digit Random>_!!!.txt
- Major Characteristics :
- Offline Encryption
- Recovery Partition (F:\) + EEFI System Partition (G:\) drives are activate.
- Block processes execution (dbsnmp, encsvc, isqlplussvc, mydesktopservice, oracle, thebat etc.)
- Stop multi services (backup, sophos, sql, veeam, vss, wuauserv etc.)
- Disable system restore (wmic.exe shadowcopy delete, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy IgnoreAllFailures, bcdedit /set {globalsettings} advancedoptions false)