Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 53fdeb923b1890d29b8f29da77995938
 
  • Major Detection Name : Ransomware/Win.BastaCrypt.C5103130 (AhnLab V3), W32/BlackBasta.FA18!tr.ransom (Fortinet)
 
  • Encrypted File Pattern : .basta
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
     - C:\Users\%UserName%\AppData\Local\Temp\fkdjsadasd.ico
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
     - C:\Windows\TEMP\dlaksjdoiwq.jpg
     - C:\Windows\TEMP\fkdjsadasd.ico
 
  • Payment Instruction File : readme.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Delete the Fax service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax = C:\Windows\system32\fxssvc.exe) and register the ransomware via the re-registration value.
     - Add a registry value to run the Fax service in a safe mode (network) environment (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax)
     - Perform file encryption after an automatic safe mode (network) reboot when the ransomware is executed (bcdedit.exe /set safeboot network + shutdown -r -f -t 0)
     - Disable system restore (vssadmin.exe delete shadows /all /quiet)
     - Change encrypted file (.basta) icon
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\dlaksjdoiwq.jpg)

List

위로