MD5: 34FC48EF36D9159B2CD44E2BEB8F8D86
File Name: 152o.exe
This file is around 2.4 MB in size. We looked in the
resource section and found the list of files inside it.
These
files are used for encrypting the hard disk. We started looking in the code of
the original file and we found following interesting strings:
It is very evident that this sample utilize the files in resource
section and started the defragmentation service and further goes to encrypting
the hard disk. We looked in to the codes further and found this:
The
file itself having the contact information after the successful ransomware
infection. It is not going to use any command and control communication in this
case.
Usually
we seen ransomware tries to kill the Volume Snapshot Service. The above snap
shows that the file tries to uninstall Deep Freeze, because it is one of the
successful restore programs.
It
started using disk cryptor services, DiskCryptor is an open encryption solution
that offers encryption of all disk partitions, including the system partition.
The fact of openness goes in sharp contrast with the current situation, where
most of the software with comparable functionality is completely proprietary,
which makes it unacceptable to use for protection of confidential data.
Post created by
No comments:
Post a Comment