Gopher Ransomware (<Original Filename>.<Original Extension> → <Base64>.lockedv1) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : 35ed0713bd4989332c43f8400f01fc8c

Major Detection Name : Ransom:Win64/FileCrypter.MK!MTB (Microsoft), Ransom_FileCrypter.R002C0DA121 (Trend Micro)

Encrypted File Pattern : <Original Filename>.<Original Extension> → <Base64>.lockedv1

Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\windows-update-CVE-wLK.exe
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt

Payment Instruction File : READMEV1.txt

Major Characteristics :
- Offline Encryption
- Use a "Mozilla Corporation" Digital Signatures
- Turns off User Access Control (UAC)
- Disable system restore (vssadmin Delete Shadows /All /Quiet)
- Empty the trash (cmd /C "rd /s /q <Drive Letter>:\\$RECYCLE.BIN")