Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
 
  • MD5 : 63acb0fc42adddeefed36db5b1ad61bb
 
  • Major Detection Name : MSIL.Trojan-Ransom.LokiLocker.B (GData), Ransom:MSIL/LokiLocker.MK!MTB (Microsoft)
 
  • Encrypted File Pattern : [Ghosttm@zohomail.com][<Random>]<Original Filename>.<Original Extension>.Loki
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
     - C:\ProgramData\Cpriv.Loki
     - C:\ProgramData\info.Loki
     - C:\ProgramData\<Random>.exe
     - C:\ProgramData\winlogon.exe
     - C:\Users\%UserName%\AppData\Local\Temp\<Random>.ico
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvtymcow.bat
     - C:\Users\%UserName%\AppData\Roaming\winlogon.exe
     - C:\Windows\winlogon.exe
 
  • Payment Instruction File : info.hta / info.Loki / Restore-My-Files.txt
 
  • Major Characteristics :
     - Offline Encryption
     - FonixCrypter Ransomware series
     - Change a disk name (Locked by Loki)
     - Disable and Blocks Registry Editor (regedit) and Task Manager (taskmgr / DisableTaskMgr)
     - Disable Windows Defender (DisableAntiSpyware)
     - Turns off Windows Firewall (netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable)
     - Adds Loki to task scheduler to execute %AppData%\winlogon.exe" at user login
     - Block processes execution (culture, ragui, sqlservr, supervise, winword, wxserver etc.)
     - Disable system restore (vssadmin delete shadows /all /quiet, wbadmin DELETE SYSTEMSTATEBACKUP, wmic shadowcopy delete, wbadmin delete catalog -quiet, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no)
     - Change the encrypted file (.Loki) icon (HKEY_CLASSES_ROOT\.Loki) and run the file "C:\ProgramData\<Random>.exe" when executed.
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\<Random>.Loki)
     - Display a ransomware message on the Windows logon screen.

List

위로