Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : fd5ae61959c9590036881cb809891029
 
  • Major Detection Name : Trojan.Ransom.LockeR (ALYac), Trojan-Ransom.Win32.Gen.hee (Kaspersky)
 
  • Encrypted File Pattern : <Random Filename>.locked
 
  • Malicious File Creation Location :
         - C:\Users\%UserName%\AppData\Roaming\<Random Folder>
         - C:\Users\%UserName%\AppData\Roaming\<Random>\<Random>.exe
         - C:\Users\%UserName%\Desktop\KEY
 
  • Payment Instruction File : [HOW_TO_DECRYPT_FILES].html
 
  • Major Characteristics :
         - Offline Encryption
         - Stop system services (stop vss)
         - Disable system restore (WMIC.exe shadowcopy delete /nointeractive, bcdedit.exe /set {default} recoveryenabled no, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, vssadmin.exe delete shadows /all /quiet)
         - Interrupt file recovery using "C:\Windows\System32\cipher.exe" /W:<Drive Letter>
         - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\bmp<Random>.bmp)
         - Creates following registry to link ".locked" file extension to open ransomnote ([HOW_TO_DECRYPT_FILES].html).

List

위로