Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 04aaf892226b1e11ab69b4cdd90c790f
- Major Detection Name : A variant of MSIL/Filecoder.Ziggy.A (ESET), W32/Agent.AEE!tr.ransom (Fortinet)
- Encrypted File Pattern : .id=[<Random>].email=[lilmoon1@criptext.com].ziggy
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\## HOW TO DECRYPT ##.exe
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Runtime Broker.exe
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\## HOW TO DECRYPT ##.exe
- C:\Windows\System32\FCYMM<Number>.dll
- Payment Instruction File : ## HOW TO DECRYPT ##.exe
- Major Characteristics :
- Offline Encryption
- Turns off Windows Firewall (netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable)
- Disable Windows Defender ("powershell" Get-MpPreference -verbose)
- Block processes execution (dbsnmp.exe, msftesql.exe, oracle.exe, sqlagent.exe, synctime.exe, xfssvccon.exe etc.)
- Disable system restore (vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wbadmin delete catalog -quiet)