Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 95eb004d05b5560426f75126bdd77649
 
  • Major Detection Name : Ransomware/Win.Underground.R590489 (AhnLab V3), Ransom:Win64/IndustrialSpy.A (Microsoft)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension>
 
  • Message File : !!readme!!!.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Industrial Spy Ransomware series.
     - Stop MSSQLSERVER service.
     - Disable system restore. (vssadmin.exe delete shadows /all /quiet)
     - Add a registry value to configure the Remote Desktop session keep-alive duration. ("C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f)
     - Deletes event log. (wevtutil.exe  cl "AMSI/Debug", wevtutil.exe  cl "AirSpaceChannel", wevtutil.exe  cl "Application", wevtutil.exe  cl "EndpointMapper", wevtutil.exe  cl "ForwardedEvents", wevtutil.exe  cl "HardwareEvents" etc.)

List

위로