- Distribution Method : Mail attachment
- MD5 : 235dbc5d1a2d750248ac16bbfdd907f1
- Major Detection Name : Trojan.Ransom.FrozrLock (ALYac), Ransom:Win32/Ranscrape (Microsoft)
- Encrypted File Pattern : No Change
- Malicious File Creation Location :
- C:\Users\%UserName%\AppData\Roaming\file_list.txt
- C:\Users\%UserName%\AppData\Roaming\Locker_ID.txt
- C:\Users\%UserName%\AppData\Roaming\Pub_Key.xml
- C:\Users\%UserName%\AppData\Roaming\update.exe
- Payment Instruction File : READ_ME.txt
- Major Characteristics :
- Use an invalid "Kinder Lab" Digital Signatures
- Ransomware execution using Event Viewer (eventvwr.msc)
- Interrupt file recovery using "C:\Windows\System32\cmd.exe" cipher /w:<Drive Letter> commands
- Encrypting the .exe execuable file that exists in the encryption target folder
- Encryption guide using Text-to-Speech (TTS) function
List