- Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
- MD5 : 99a3d049f11474fac6844447ac2da430
- Major Detection Name : HEUR:Trojan.Win32.AntiAV (Kaspersky), Ransom:Win32/Genasom (Microsoft)
- Encrypted File Pattern : <Random> ID <Random>.1btc
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Restore Files.TxT
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Restore Files.TxT
- C:\Windows\wwvcm.exe
- Payment Instruction File : Restore Files.TxT
- Major Characteristics :
- Offline Encryption
- DXXD Ransomware series
- Encryption starts after killing all process except listed in whitelist processes
- Disable system restore (vssadmin delete shadows /all)
- Display a ransomware message on the Windows logon screen
List