Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
- MD5 : f2747a4af2720fcd0370598d97dad49e
- Major Detection Name : Ransomware/Win.Generic.R474761 (AhnLab V3), Win32:DropperX-gen [Drp] (Avast)
- Encrypted File Pattern : .avast
- Malicious File Creation Location : C:\Users\%UserName%\AppData\Local\Temp\<Random>.bat
- Payment Instruction File : HOW TO RECOVER !!.TXT / RECOVERY INFORMATION.txt
- Major Characteristics :
- Mallox Ransomware series
- Block processes execution (EXCEL.EXE, fdlauncher.exe, MsDtsSrvr.exe, SageCSClient.exe, sqlagentc.exe, U8WorkerService.exe etc.)
- Stop multi services (MsDtsServer100, MSSQLServerADHelper100, NetBackup Discovery Framework, postgresql-x64-9.4, ReportServer$SHOPCONTROL9, SQLSERVERAGENT etc.)
- Delete multi services (AHS SERVICE, eCard-TTransServer, SQLSERVERAGENT, VirboxWebServer, WebAttendServer, XT800Service_Personal etc.)
- Disable multi services (sc config "MsDtsServer130" start= disabled, sc config "MSSQLFDLauncher" start= disabled, sc config "SQLBrowser" start= disabled, sc config "SQLSERVERAGENT" start= disabled, sc config "SQLTELEMETRY" start= disabled, sc config "SSISTELEMETRY130" start= disabled etc.)
- Disable system restore (vssadmin.exe delete shadows /all /quiet, bcdedit /set {current} bootstatuspolicy ignoreallfailures, bcdedit /set {current} recoveryenabled no)