Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

ExecutionerPlus Ransomware (.mdpluss.executioner / .txtpluss.executioner / .destroy.executioner)

  • Distribution Method : Unknown
 
  • MD5 : 7005198838ed12668a7c5e9beab0683e
 
  • Major Detection Name : a variant of MSIL/Filecoder.CryptoJoker.D (ESET), Ransom_EXECUTIONER.D (Trend Micro)
 
  • Encrypted File Pattern :
     - .md, .txt file extension : <Original Filename>.mdpluss.executioner / <Original Filename>.txtpluss.executioner
     - The others file extension : <Original Filename>.<Original Extension>.destroy.executioner
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Roaming\executioner.plus
     - C:\Users\%UserName%\AppData\Roaming\plus.executioner
 
  • Payment Instruction File : Readme.html
 
  • Major Characteristics :
     - Offline Encryption
     - CryptoJoker / CryptoNar Ransomware series
     - .md, .txt file extension (Full encryption) + The others file extension (Encrypt files up to 1,024 Bytes)
     - Disable system restore (vssadmin delete shadows /all /quiet)
     - Includes CoinHive (Crypto Currency Miner) script in Readme.html message file.

List

위로