Crypt888 Ransomware (Lock.<Original Filename>.<Original Extension> / YOUR FILES ARE ALL GONE) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Download a file after inducing access to the Phishing site

MD5 : aea013d01453f97db80b01838255e414

Major Detection Name : Ransom:AutoIt/Lokmwiz.B!bit (Microsoft), Ransom.Win32.MIRCOP.AA (Trend Micro)

Encrypted File Pattern : Lock.<Original Filename>.<Original Extension>

Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\8x8x8
- C:\Users\%UserName%\AppData\Local\Temp\32.cab
- C:\Users\%UserName%\AppData\Local\Temp\64.cab
- C:\Users\%UserName%\AppData\Local\Temp\888.vbs
- C:\Users\%UserName%\AppData\Local\Temp\x.exe
- C:\Microsoft Update.lnk

Major Characteristics :
- Offline Encryption
- Encephalitis / GrodexCrypt / Lecitricic Lycor / MicroCop / Zuahahhah Ransomware series
- AutoIt scripts based Ransomware
- Turns off User Access Control (UAC)
- Kill a web browser processes (chrome.exe, firefox.exe, iexplore.exe, opera.exe, tor.exe) and Block Skype processes execution.
- Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\wl.jpg)