Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

CryLock Ransomware (.<Original Extension>[grand@horsefucker.org][<Random>-<Random>].<3-Digit Random Extension>)

  • Distribution Method : Unknown
 
  • MD5 : 8a5e5437e142ea0380875081b8fe095f
 
  • Major Detection Name : Ransom.CryLocker (Malwarebytes), Ransom:Win32/Cryak.PA!MTB (Microsoft)
 
  • Encrypted File Pattern : .<Original Extension>[grand@horsefucker.org][<Random>-<Random>].<3-Digit Random Extension>
 
  • Malicious File Creation Location :
     - C:\Users\%UserName%\AppData\Local\Temp\how_to_decrypt.hta
     - C:\Users\%UserName%\AppData\Local\Temp\svc<Random>.exe
     - C:\Users\%UserName%\AppData\Local\Temp\<Drive Letter>-<Number>.log
     - C:\Windows\System32\Tasks\BCBoot
     - C:\Windows\System32\Tasks\BCRecover
     - C:\Windows\System32\Tasks\VssDataRestore
     - C:\Windows\System32\Tasks\WBadminBackupRestore
     - C:\Windows\System32\Tasks\WBadminSystemRestore
     - C:\Windows\System32\Tasks\WMICRestore
 
  • Payment Instruction File : how_to_decrypt.hta
 
  • Major Characteristics :
     - Offline Encryption
     - Reruns by adding "BCBoot" in Task Scheduler to disable system restore (bcdedit /set {default} bootstatuspolicy ignoreallfailures)
     - Reruns by adding "BCRecover" in Task Scheduler to disable system restore (bcdedit /set {default} recoveryenabled No)
     - Reruns by adding "VssDataRestore" in Task Scheduler to disable system restore (vssadmin delete shadows /all /quiet)
     - Reruns by adding "WBadminBackupRestore" in Task Scheduler to disable system restore (wbadmin DELETE BACKUP -keepVersions:0)
     - Reruns by adding "WBadminSystemRestore" in Task Scheduler to disable system restore (wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0)
     - Reruns by adding "WMICRestore" in Task Scheduler to disable system restore (wmic SHADOWCOPY DELETE)

List

위로