Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Download file by user
 
  • MD5 : 5759cc998c4be40886810d3bbda6224d
 
  • Major Detection Name : Trojan/Win32.Gandcrab.C2742205 (AhnLab V3), Trojan-Ransom.Win32.GandCrypt.fvm (Kaspersky)
 
  • Encrypted File Pattern : .<5~10 Digit Random Extension>
 
  • Malicious File Creation Location : C:\Users\%UserName%\<Random>.exe
 
  • Payment Instruction File : <Encryption Extension>-DECRYPT.txt
 
  • Major Characteristics :
     - Offline Encryption
     - File encryption using system file "C:\Windows\System32\wermgr.exe" or "C:\Windows\SysWOW64\wermgr.exe".
     - Includes removal of antivirus (AhnLab V3, avast! Antivirus) using javascript.
     - Block processes execution (dbsnmp.exe, msftesql.exe, oracle.exe, sqlagent.exe, sqlbrowser.exe, sqlwriter.exe etc.)
     - Disable system restore (wmic.exe shadowcopy delete)
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\pidor.bmp)

List

위로