Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

AutoCryptor Ransomware (No Change)

  • Distribution Method : Mail attachment
  • MD5 : 235dbc5d1a2d750248ac16bbfdd907f1
  • Major Detection Name : Trojan.Ransom.FrozrLock (ALYac), Ransom:Win32/Ranscrape (Microsoft)
  • Encrypted File Pattern : No Change
  • Malicious File Creation Location :
         - C:\Users\%UserName%\AppData\Roaming\file_list.txt
         - C:\Users\%UserName%\AppData\Roaming\Locker_ID.txt
         - C:\Users\%UserName%\AppData\Roaming\Pub_Key.xml
         - C:\Users\%UserName%\AppData\Roaming\update.exe
  • Payment Instruction File : READ_ME.txt
  • Major Characteristics :
         - Use an invalid "Kinder Lab" Digital Signatures
         - Ransomware execution using Event Viewer (eventvwr.msc)
         - Interrupt file recovery using "C:\Windows\System32\cmd.exe" cipher /w:<Drive Letter> commands
         - Encrypting the .exe execuable file that exists in the encryption target folder
         - Encryption guide using Text-to-Speech (TTS) function