Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 53fdeb923b1890d29b8f29da77995938
- Major Detection Name : Ransomware/Win.BastaCrypt.C5103130 (AhnLab V3), W32/BlackBasta.FA18!tr.ransom (Fortinet)
- Encrypted File Pattern : .basta
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
- C:\Users\%UserName%\AppData\Local\Temp\fkdjsadasd.ico
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
- C:\Windows\TEMP\dlaksjdoiwq.jpg
- C:\Windows\TEMP\fkdjsadasd.ico
- Payment Instruction File : readme.txt
- Major Characteristics :
- Offline Encryption
- Delete the Fax service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax = C:\Windows\system32\fxssvc.exe) and register the ransomware via the re-registration value.
- Add a registry value to run the Fax service in a safe mode (network) environment (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Fax)
- Perform file encryption after an automatic safe mode (network) reboot when the ransomware is executed (bcdedit.exe /set safeboot network + shutdown -r -f -t 0)
- Disable system restore (vssadmin.exe delete shadows /all /quiet)
- Change encrypted file (.basta) icon
- Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\dlaksjdoiwq.jpg)