The agency said that it achieves self-replication by scanning for network shares, and then copying a unique version of the ransomware executable (with the file name rep.exe or lan.exe) to each of them as they’re found. The variant first emerged in Windows-focused campaigns earlier in 2021, according to the French National Agency for the Security of Information Systems (ANSSI). Unfortunately the files cannot be decrypted.A new version of the Ryuk ransomware is capable of worm-like self-propagation within a local network, researchers have found. Simply scan your computer with RogueKiller and remove registry values. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce : *CryptoLocker ("C:\Documents and Settings\tigzy\Local Settings\Application Data\Knymfhjmpodrhjjx.exe") HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run : CryptoLocker ("C:\Documents and Settings\tigzy\Local Settings\Application Data\Knymfhjmpodrhjjx.exe") HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\\Count : HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\gvtml\Ohernh\EX_Dhnenagvar\Zcsdyitfmnkaaao.rkr (System.Byte) HKEY_CURRENT_USER\Software\CryptoLocker_0388\Files HKEY_CURRENT_USER\Software\CryptoLocker_0388 C:\Documents and Settings\tigzy\Local Settings\Application Data\Knymfhjmpodrhjjx.exe OS: Microsoft Windows XP Professionnel Service Pack 3 (x86) We can also see the persistence RUN values, to be able to restart the infection at boot. With a simple analysis with DiffView, we can see that it stores the encrypted files list into a registry key. Those processes are responsible for crawling the hard drives (and USB drives as well) to search for new files to encrypt, and for displaying the ransom web pages that gather your payment informations (following capture). It keeps persistence by having 2 processes re-spawning each other when killed, and by restoring the RUN/RUNONCE registry value. CryptoLocker is a ransomware that uses encryption to corrupt your documents, and asks for a payment to restore them back.
0 kommentar(er)
