Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Gopher Ransomware (<Original Filename>.<Original Extension> → <Base64>.lockedv1)

  • Distribution Method : Unknown
 
  • MD5 : 35ed0713bd4989332c43f8400f01fc8c
 
  • Major Detection Name : Ransom:Win64/FileCrypter.MK!MTB (Microsoft), Ransom_FileCrypter.R002C0DA121 (Trend Micro)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension> → <Base64>.lockedv1
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\READMEV1.txt
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\windows-update-CVE-wLK.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READMEV1.txt
 
  • Payment Instruction File : READMEV1.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Use a "Mozilla Corporation" Digital Signatures
     - Turns off User Access Control (UAC)
     - Disable system restore (vssadmin Delete Shadows /All /Quiet)
     - Empty the trash (cmd /C "rd /s /q <Drive Letter>:\\$RECYCLE.BIN")

List

위로