Ransom_RUSHQL.A
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet
This Ransomware arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.
TECHNICAL DETAILS
34,950 bytes
Script
No
13 Apr 2017
Modifies files
Arrival Details
This Ransomware arrives as a component bundled with malware/grayware packages.
It may be manually installed by a user.
NOTES:
This ransomware comes bundled with a compromised PS/SLQ developer installer. Once user connects to a database, it will execute the code in the "AfterConnect.sql".
It checks if the database creation date is greater than 1200 days. Then, it creates a backup of data and deletes it.
It will display the the following messages when accessing an affected database:
Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address {BLOCKED}1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.
SOLUTION
9.850
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Scan your computer with your Trend Micro product to delete files detected as Ransom_RUSHQL.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 3
Restore encrypted files from backup.
Did this description help? Tell us how we did.