Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Ziggy Ransomware (.id=[<Random>].email=[lilmoon1@criptext.com].ziggy)

  • Distribution Method : Unknown
 
  • MD5 : 04aaf892226b1e11ab69b4cdd90c790f
 
  • Major Detection Name : A variant of MSIL/Filecoder.Ziggy.A (ESET), W32/Agent.AEE!tr.ransom (Fortinet)
 
  • Encrypted File Pattern : .id=[<Random>].email=[lilmoon1@criptext.com].ziggy
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\## HOW TO DECRYPT ##.exe
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Runtime Broker.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\## HOW TO DECRYPT ##.exe
     - C:\Windows\System32\FCYMM<Number>.dll
 
  • Payment Instruction File : ## HOW TO DECRYPT ##.exe
 
  • Major Characteristics :
     - Offline Encryption
     - Turns off Windows Firewall (netsh advfirewall set currentprofile state off, netsh firewall set opmode mode=disable)
     - Disable Windows Defender ("powershell" Get-MpPreference -verbose)
     - Block processes execution (dbsnmp.exe, msftesql.exe, oracle.exe, sqlagent.exe, synctime.exe, xfssvccon.exe etc.)
     - Disable system restore (vssadmin delete shadows /all /quiet, wmic shadowcopy delete, bcdedit /set {default} bootstatuspolicy ignoreallfailures, bcdedit /set {default} recoveryenabled no, wbadmin delete catalog -quiet)

List

위로