Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
  • MD5 : 65eb43ffb8abc7d488d5d6a24f2f0818
  • Major Detection Name : DeepScan:Generic.Ransom.JSWORM.BB69C864 (BitDefender), (Kaspersky)
  • Encrypted File Pattern : .[ID-<Number>][].UNNAMED
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\build_MUI.exe
     - C:\ProgramData\Microsoft\svchost.exe
     - C:\ProgramData\key.JSWORM
     - C:\ProgramData\user_data.JSWORM
     - C:\Windows\System32\Tasks\UNNAMED
  • Payment Instruction File : UNNAMED-DECRYPT.txt
  • Major Characteristics :
     - Offline Encryption
     - Block processes execution (bes10*, black*, IBM*, mysql*, postg, sage*, sql, sql*, store.exe, vee*)
     - Stop services execution (mr2kserv, MSExchangeADTopology, MSSQL$ISARS, ReportServer$ISARS, SQLAgent$ISARS, SQLWriter etc.)
     - Disables Event Log (net1 stop eventlog /y, sc config eventlog start=disabled)
     - Deletes event log (cmd.exe /c FOR /F "delims = " %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I"), cmd.exe /c for /F "tokens = *" %1 in ('wevtutil.exe el') DO wevtutil.exe cl " % 1")
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy ignoreallfailures)
     - Adds UNNAMED to scheduler to execute "C:\ProgramData\Microsoft\build_MUI.exe" at user login.