Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 117da2dd6fa24616f63eb43d5a15e5d3
- Major Detection Name : Gen:Variant.Ransom.Avaddon.3 (BitDefender), Ransom.Avaddon (Malwarebytes)
- Encrypted File Pattern : .<9~10-Digit A(a)~E(e) Random Extension>
- Malicious File Creation Location : C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\<Random>.exe
- Payment Instruction File : <5~8-Digit Random>_readme_.txt
- Major Characteristics :
- Offline Encryption
- EFI System Partition (X:\) and Recovery Partition (Y:\) drives are activate.
- Turns off User Access Control (UAC)
- Block processes execution (fdhost.exe, QBW32.exe, RTVscan.exe, sqlbrowser.exe, sqlservr.exe, winword.exe etc.)
- Stop services execution (ccSetMgr, DefWatch, QBIDPService, sqladhlp, sqlservr, VMUSBArbService etc.)
- Disable system restore (wmic SHADOWCOPY DELETE /nointeractive, vssadmin Delete Shadows /All /Quiet)
- Unmount VHD image files (powershell Dismount-DiskImage -ImagePath <Path>\<Filename>.vhd) and encrypt files.
- Adds update to scheduler to execute (%AppData%\Microsoft\Windows\<Random>.exe) every 10 minutes.