Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Mail attachment
  • MD5 : ba6ed06e4b5cc53fc71746ec4be4a419
  • Major Detection Name : Trojan.Ransom.AutoCryptor (ALYac), Ransom/W32.Blocker.302080 (nProtect)
  • Encrypted File Pattern : No Change
  • Malicious File Creation Location : C:\Users\%UserName%\AppData\Roaming\UpdateServices.exe
  • Payment Instruction File : THIS_YOU_MUST_READ.txt
  • Major Characteristics :
         - The Korean users targeted
         - Ransomware execution using Event Viewer (eventvwr.msc)
         - Disable system restore (vssadmin.exe delete shadows /ALL /Quiet)
         - Interrupt file recovery using "C:\Windows\System32\cmd.exe" cipher /w:<Drive Letter> commands
         - Encryption guide using Text-to-Speech (TTS) function