映像

様々なランサムウェアに対応するAppCheckの事前防御、自動復旧およびリアルタイムバックアップ機能を映像でご確認いただけます。

  • Distribution Method : Unknown
 
  • MD5 : 413770ba14b8df7a7f291aef9e1b5af1
 
  • Major Detection Name : Ransom.Rapid (Malwarebytes), Ransom:Win32/Robinhood.AR!MTB (Microsoft)
 
  • Encrypted File Pattern : <Random Filename>.cryptolocker
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Roaming\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}
     - C:\Users\%UserName%\AppData\Roaming\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\norapid.exe
     - C:\Users\%UserName%\AppData\Roaming\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\rapidrecovery.txt
     - C:\Windows\System32\Tasks\SvcSafeData
 
  • Payment Instruction File : !DECRYPT_FILES.txt / rapidrecovery.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Disable and Blocks Command Prompt (cmd.exe) and Task Manager (Taskmgr.exe)
     - Delete multi services (MsDtsServer130, MSSQLFDLauncher, ReportServer, SQLSERVERAGENT, storflt, vmickvpexchange etc.)
     - Block processes execution (fdlauncher.exe, msmdsrv.exe, pg_ctl.exe, ReportingServicesService.exe, sqlbrowser.exe, UniFi.exe etc.)
     - Delete backup files (*.bac, *.bak, *.bkf, *.dsk, *.set, *.VHD, *.wbcat, *.win, Backup*.*)
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wbadmin DELETE, SYSTEMSTATEBACKUP, wmic SHADOWCOPY DELETE, vssadmin.exe resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin.exe resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded)
     - Adds SvcSafeData to scheduler to execute "%AppData%\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\norapid.exe" every minute
     - Changes desktop background (%AppData%\{A7DBD80C-410D-4C87-99F9-B19C0DA21BF1}\kakdela.bmp)

リスト

위로