Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

RSAUtil Ransomware (.helppme@india.com.ID<Random>)

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
 
  • MD5 : 399d10fe6bfb0f8e55825310aee73bc5
 
  • Major Detection Name : Win32/Filecoder.RSAUtil.A (ESET), Ransom_DONTSLIP.A (Trend Micro)
 
  • Encrypted File Pattern : .helppme@india.com.ID<Random>
 
  • Malicious File Creation Location : - ...\cripter\clear_event_logs.cmd
     - ...\cripter\config.cfg
     - ...\cripter\DontSleep_x64.exe
     - ...\cripter\DontSleep_x64.ini
     - ...\cripter\How_return_files.txt
     - ...\cripter\image.jpg
     - ...\cripter\libeay32.dll
     - ...\cripter\msvcr90.dll
     - ...\cripter\NE SPAT.bat
     - ...\cripter\svchosts.exe

  • Payment Instruction File : How_return_files.txt
 
  • Major Characteristics :
 - Offline Encryption
 - Disable system restore (vssadmin.exe delete shadows /all /quiet, bcdedit.exe /set {default} recoveryenabled no, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures)
 - Delete event log
 - Changes desktop background (...\cripter\image.jpg)

List

위로