Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 7f87db33980c0099739de40d1b725500
 
  • Major Detection Name : a variant of Win32/Exploit.Equation.M (ESET), Ransom.Katyusha (Malwarebytes)
 
  • Encrypted File Pattern : .katyusha
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\_how_to_decrypt_you_files.html
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\_how_to_decrypt_you_files.txt
     - C:\ProgramData\_how_to_decrypt_you_files.txt
     - C:\Windows\Temp\cnli-1.dll
     - C:\Windows\Temp\coli-0.dll
     - C:\Windows\Temp\crli-0.dll
     - C:\Windows\Temp\dmgd-4.dll
     - C:\Windows\Temp\exma-1.dll
     - C:\Windows\Temp\katyusha.dll
     - C:\Windows\Temp\KillDuplicate.cmd
     - C:\Windows\Temp\Ktsi.exe
     - C:\Windows\Temp\libeay32.dll
     - C:\Windows\Temp\libxml2.dll
     - C:\Windows\Temp\m32.exe
     - C:\Windows\Temp\m64.exe
     - C:\Windows\Temp\posh-0.dll
     - C:\Windows\Temp\ssleay32.dll
     - C:\Windows\Temp\svchostb.exe
     - C:\Windows\Temp\svchostb.xml
     - C:\Windows\Temp\svchostbs.exe
     - C:\Windows\Temp\svchostbs.xml
     - C:\Windows\Temp\svchostp.exe
     - C:\Windows\Temp\tibe-2.dll
     - C:\Windows\Temp\trch-1.dll
     - C:\Windows\Temp\trfo-2.dll
     - C:\Windows\Temp\tucl-1.dll
     - C:\Windows\Temp\ucl.dll
     - C:\Windows\Temp\xdvl-0.dll
     - C:\Windows\Temp\Zkts.exe
     - C:\Windows\Temp\zlib1.dll
     - C:\_how_to_decrypt_you_files.txt
 
  • Payment Instruction File : _how_to_decrypt_you_files.html / _how_to_decrypt_you_files.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Block processes execution (mysqld.exe, mysqld-nt.exe, oracle.exe, sqlagent.exe, sqlsevr.exe, sqlwriter.exe etc.)
     - Disable system restore (vssadmin delete shadows /all /quiet)
     - Network propagation function using EternalBlue SMB vulnerability

List

위로