Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 9e84e1cacb60a165982dae7b9932c076
 
  • Major Detection Name : Trojan-Ransom.Win32.Purga.cf (Kaspersky), Ransom_AMNESIA.E (Trend Micro)
 
  • Encrypted File Pattern : .wncry
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Roaming\guide.exe
     - C:\Users\%UserName%\Инструкция по восстановлению данных.TXT
 
  • Payment Instruction File : Инструкция по восстановлению данных.TXT
 
  • Major Characteristics :
     - Scarab / Scarabey Ransomware series
     - WannaCry Ransomware impostor
     - The English and Russian users targeted
     - Disable and Blocks Registry Editor (regedit.exe) and Task Manager (Taskmgr.exe)
     - Block processes execution (msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, synctime.exe etc.)
     - Disable system restore (vssadmin Delete Shadows /All /Quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default}  - bootstatuspolicy ignoreallfailures)
     - Checks following folder name for encryption : Microsoft\Exchange Server, Microsoft SQL Server

List

위로