Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 8a5e5437e142ea0380875081b8fe095f
- Major Detection Name : Ransom.CryLocker (Malwarebytes), Ransom:Win32/Cryak.PA!MTB (Microsoft)
- Encrypted File Pattern : .<Original Extension>[grand@horsefucker.org][<Random>-<Random>].<3-Digit Random Extension>
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Local\Temp\how_to_decrypt.hta
- C:\Users\%UserName%\AppData\Local\Temp\svc<Random>.exe
- C:\Users\%UserName%\AppData\Local\Temp\<Drive Letter>-<Number>.log
- C:\Windows\System32\Tasks\BCBoot
- C:\Windows\System32\Tasks\BCRecover
- C:\Windows\System32\Tasks\VssDataRestore
- C:\Windows\System32\Tasks\WBadminBackupRestore
- C:\Windows\System32\Tasks\WBadminSystemRestore
- C:\Windows\System32\Tasks\WMICRestore
- Payment Instruction File : how_to_decrypt.hta
- Major Characteristics :
- Offline Encryption
- Reruns by adding "BCBoot" in Task Scheduler to disable system restore (bcdedit /set {default} bootstatuspolicy ignoreallfailures)
- Reruns by adding "BCRecover" in Task Scheduler to disable system restore (bcdedit /set {default} recoveryenabled No)
- Reruns by adding "VssDataRestore" in Task Scheduler to disable system restore (vssadmin delete shadows /all /quiet)
- Reruns by adding "WBadminBackupRestore" in Task Scheduler to disable system restore (wbadmin DELETE BACKUP -keepVersions:0)
- Reruns by adding "WBadminSystemRestore" in Task Scheduler to disable system restore (wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0)
- Reruns by adding "WMICRestore" in Task Scheduler to disable system restore (wmic SHADOWCOPY DELETE)