CryptoWire Ransomware (<Original Filename>DesktopReadme.<Original Extension>) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : a11828339f07c41bdf234317c6418b7f

Major Detection Name : AutoIt/Ouroboros.A!tr.ransom (Fortinet), Ransom.Win32.CRYPTWIRE.THDBIAI (Trend Micro)

Encrypted File Pattern : <Original Filename>DesktopReadme.<Original Extension>

Malicious File Creation Location :
- C:\Program Files (x86)\Common Files\<Random>.exe
- C:\Program Files (x86)\Common Files\log.txt
- C:\Windows\System32\Tasks\<10자리 숫자>

Payment Instruction File : INSTRUCTIONS.txt / README.txt

Major Characteristics :
- Offline Encryption
- Lomix / Owl / UltraLocker / WanaCry4 Ransomware series
- AutoIt scripts based Ransomware
- Adds <10-Digit Number> to scheduler to execute "C:\Program Files (x86)\Common Files\<Random>.exe" at user login.
- Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures)