Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Ziggy Ransomware (.id=[<Random>].email=[].ziggy)

  • Distribution Method : Unknown
  • MD5 : 04aaf892226b1e11ab69b4cdd90c790f
  • Major Detection Name : A variant of MSIL/Filecoder.Ziggy.A (ESET), W32/Agent.AEE!tr.ransom (Fortinet)
  • Encrypted File Pattern : .id=[<Random>].email=[].ziggy
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\## HOW TO DECRYPT ##.exe
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Runtime Broker.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\## HOW TO DECRYPT ##.exe
     - C:\Windows\System32\FCYMM<Number>.dll
  • Payment Instruction File : ## HOW TO DECRYPT ##.exe
  • Major Characteristics :
     - Offline Encryption
     - Turns off Windows Firewall (netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable)
     - Disable Windows Defender ("powershell" Get-MpPreference -verbose)
     - Block processes execution (dbsnmp.exe, msftesql.exe, oracle.exe, sqlagent.exe, synctime.exe, xfssvccon.exe etc.)
     - Disable system restore (vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wbadmin delete catalog -quiet)