JSWorm Ransomware (.[ID-<Random>][doctorSune@protonmail.com].TRUMP) - 映像

Major Detection Name : DeepScan:Generic.Ransom.JSWORM.C28E5264 (BitDefender), Ransom.JSWorm (Malwarebytes)

Malicious File Creation Location :
- C:\ProgramData\Microsoft\svchost.exe
- C:\ProgramData\key.TRUMP
- C:\ProgramData\user_data.TRUMP
- C:\Windows\System32\Tasks\TRUMP

Major Characteristics :
- Offline Encryption
- Adds TRUMP to scheduler to execute "C:\ProgramData\Microsoft\svchost.exe" at user login.
- Block processes execution (bes10*, black*, IBM*, mysql*, sql, store.exe etc.)
- Stop services execution (mr2kserv, MSExchangeADTopology, MSSQLServerADHelper100, ReportServer$ISARS, SQLAgent$ISARS, WinDefend etc.)
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures)
- Deletes event log