Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
 
  • MD5 : 14fd33d833b37fdd0df997f5e108c43f
 
  • Major Detection Name : Ransom.Kraken (Malwarebytes), Ransom:MSIL/Kraken.A (Microsoft)
 
  • Encrypted File Pattern : <Number>-Lock.onion
 
  • Malicious File Creation Location :
     - C:\ProgramData\release.bat
     - C:\ProgramData\sdelete.exe
 
  • Payment Instruction File : # How to Decrypt Files.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Checks OS language (Russian, Ukrainian etc.) and Geo-IP location to determine the execution.
     - Block processes execution (agntsvcagntsvc, msftesql, mydesktopqos, mysqld, mysqld-nt, sqlagent etc.)
     - Deletes event log (wevtutil.exe clear-log Application, wevtutil.exe clear-log Security, wevtutil.exe clear-log System)
     - Disable event log (sc config eventlog start=disabled)
     - Disable system restore (bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0, wmic SHADOWCOPY DELETE, vssadmin delete shadows /All)
     - Utilizes SDelete from SysInternals to purge empty disc drive space, disabling possible recovery by file recovery tool.
     - After secure erase, displays fake error message, then shuts down windows after 5 minutes (shutdown /S /F /T 300 /C "Unexpected shutdown due to maintenance break.")

List

위로