Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Sodinokibi Ransomware (.<5~10-Digit Random Extension> / <Encryption Extension>-readme.txt / Version Kaseya VSA)

  • Distribution Method : Leveraging a vulnerability in the software of Kaseya VSA on-premises products
 
  • MD5 : 561cffbaba71a6e8cc1cdceda990ead4
 
  • Major Detection Name : Ransomware/Win.Sodinokibi.C4540962 (AhnLab V3), TR/AD.SodinoRansom.xacle (Avira)
 
  • Encrypted File Pattern : .<5~10-Digit Random Extension>
 
  • Malicious File Creation Location :
     - C:\Windows\mpsvc.dll
     - C:\Windows\MsMpEng.exe
 
  • Payment Instruction File : <Encryption Extension>-readme.txt
 
  • Major Characteristics :
     - Offline Encryption
     - AnteFrigus / GandCrab Ransomware series
     - Use a "PB03 TRANSPORT LTD." Digital Signatures
     - Allow Windows firewall rules (Network Discovery)
     - Disable system restore
     - Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\<Random>.bmp)

List

위로