Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : a67baae890d64e81a3f0b250884c8521
- Major Detection Name : Ransom:Win32/SporaCrypt.PA!MTB (Microsoft), Ransom.Win32.VOIDCRYPT.SMYXCJ2 (Trend Micro)
- Encrypted File Pattern : .<Original Extension>[ID=<Random>-Mail=FreedomTeam@mail.ee].<4-Digit Random>
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\f__d_d.sys
- C:\Users\%UserName%\AppData\h4_svc.bat
- C:\Users\%UserName%\AppData\Renc.sys
- C:\Users\%UserName%\AppData\t2_svc.bat
- C:\Users\%UserName%\AppData\v9_svc.vbs
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt
- C:\Users\Read_Me!_.txt
- C:\Users\ReadMe_Now!.hta
- C:\Windows\System32\Tasks\Microsoft_Auto_Scheduler
- C:\Windows\Pagesfilo.sys
- C:\Read_Me!_.txt
- Payment Instruction File : Read_Me!_.txt / ReadMe_Now!.hta
- Major Characteristics :
- Offline Encryption
- Turns off User Access Control (UAC)
- Turns off Windows Firewall (netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable)
- Allow Windows firewall rules (netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes)
- Block processes execution (agntsvc.exe, isqlplussvc.exe, msftesql.exe, onenote.exe, sqlagent.exe, xfssvccon.exe etc.)
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, wmic shadowcopy delete, wbadmin delete catalog -quiet)
- Adds the Microsoft_Auto_Scheduler task scheduler to automatically run the file "C:\Users\%UserName%\AppData\t2_svc.bat" every 6 minutes.