Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Automatic infection using exploit by visiting website or Mail attachment
- MD5 : bf9982a200bd7b30226e2ac1c2f2759f
- Major Detection Name : TR/Ransom.ssaxe (Avira), a variant of Win32/GenKryptik.BYNJ (ESET)
- Encrypted File Pattern : .CRAB
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CRAB-DECRYPT.txt
- C:\Users\%UserName%\AppData\Roaming\Microsoft\<Random>.exe
- Payment Instruction File : CRAB-DECRYPT.txt
- Major Characteristics :
- When infection is done through vulnerability, the ransomware utilizes svchost.exe system file for file encryption (C:\Windows\SysWOW64\svchost.exe -k ahnlab)
- Block processes execution (msftesql.exe, oracle.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe etc.)
- Disable system restore (wmic.exe shadowcopy delete)
- Automatically reboot Windows after file encryption is complete (shutdown -r -t 60 -f)
- Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\pidor.bmp)