Ransom.Win32.SODINOKIBI.THGAAAI
別名:
Trojan.Win32.DelShad.sw(Kaspersky); Trojan:Win32/Wacatac.B!ml (Microsoft)
プラットフォーム:
Windows
危険度:
ダメージ度:
感染力:
感染確認数:
情報漏えい:
マルウェアタイプ:
身代金要求型不正プログラム(ランサムウェア)
破壊活動の有無:
なし
暗号化:
感染報告の有無 :
はい
概要
感染経路 インターネットからのダウンロード
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
マルウェアは、感染コンピュータ上の特定の情報を収集します。
詳細
ファイルサイズ 443,904 bytes
タイプ EXE
メモリ常駐 はい
発見日 2019年7月12日
ペイロード 画像の表示, プロセスの強制終了, 情報収集, URLまたはIPアドレスに接続, メッセージボックスの表示
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のファイルを作成します。
- %User Temp%\{random characters}.bmp -> ransom wallpaper
- {encrypted folder}\{appended ransom extension}-readme.txt -> ransom note
(註:%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。)
マルウェアは、以下のプロセスを追加します。
- vssadmin.exe Delete Shadows /All /Quiet -> deletes shadow copies
- bcdedit /set {default} recoveryenabled No -> disables startup repair
- bcdedit /set {default} bootstatuspolicy ignoreallfailures -> disables windows error recovery
マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。
- Global\FB864EC7-B361-EA6D-545C-E1A167CCBE95
他のシステム変更
マルウェアは、以下のレジストリキーを追加します。
HKEY_CURRENT_USER\Software\QtProject
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
マルウェアは、インストールの過程で、以下のレジストリ値を追加します。
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
sxsP = {Hex Bytes}
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
BDDC8 = {Hex Bytes}
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
f7gVD7 = {Hex Bytes}
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
Xu7Nnkd = {appended ransom extension}
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
pvg = {Hex Bytes}
HKEY_CURRENT_USER\Software\QtProject\
OrganizationDefaults
sMMnxpgk = {Hex Bytes}
マルウェアは、以下のレジストリ値を変更し、デスクトップの壁紙を変更します。
HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{random characters}.bmp
マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。
プロセスの終了
マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。
- thunderbird.exe
- msaccess.exe
- ocautoupds.exe
- dbsnmp.exe
- sql.exe
- mspub.exe
- outlook.exe
- xfssvccon.exe
- powerpnt.exe
- wordpa.exe
- mydesktopqos.exe
- steam.exe
- mydesktopservice.exe
- excel.exe
- oracle.exe
- firefox.exe
- winword.exe
- tbirdconfig.exe
- visio.exe
- sqbcoreservice.exe
- onenote.exe
- dbeng50.exe
- synctime.exe
- ocomm.exe
- infopath.exe
- agntsvc.exe
- ocssd.exe
- encsvc.exe
- isqlplussvc.exe
- thebat.exe
情報漏えい
マルウェアは、感染コンピュータ上の以下の情報を収集します。
- Computer name
- User name
- Workgroup
- Processor
- Operating System
- System Architecture
情報収集
マルウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。
- https://{domain}/{string 1}/{string 2}/{random characters}.{string 3}
{domain}:- {BLOCKED}.ua
- {BLOCKED}delray.com
- {BLOCKED}ls.com
- {BLOCKED}indsight.info
- {BLOCKED}webs.com
- {BLOCKED}ntpt.com
- {BLOCKED}ctors.com
- {BLOCKED}yentuan.com
- {BLOCKED}com
- {BLOCKED}perwork.eu
- {BLOCKED}eenartwalk.org
- {BLOCKED}nov.com
- {BLOCKED}ruppe.ch
- {BLOCKED}prime.com
- {BLOCKED}rabalhos.com
- {BLOCKED}demmobil.com.tr
- {BLOCKED}omputers.com
- {BLOCKED}ishstudio.co.uk
- {BLOCKED}eterroristwarningcompany.com
- {BLOCKED}nconsultingcompany.com
- {BLOCKED}ble.org
- {BLOCKED}ga.info
- {BLOCKED}sign.com
- {BLOCKED}ium.com
- {BLOCKED}ce-refle.com
- {BLOCKED}ced-removals.co.uk
- {BLOCKED}cedeyecare.com
- {BLOCKED}a.com
- {BLOCKED}srejserallinclusive.dk
- {BLOCKED}gemsehondenschool.be
- {BLOCKED}eassemble.fr
- {BLOCKED}ewho-aixenprovence.fr
- {BLOCKED}atwentytwenty.com
- {BLOCKED}-collectivites.com
- {BLOCKED}arm.dk
- {BLOCKED}urismocastagneto.it
- {BLOCKED}loftladders.co.uk
- {BLOCKED}age.com
- {BLOCKED}publishing.co.uk
- {BLOCKED}rviceunlimited.com
- {BLOCKED}pourbarrier.com
- {BLOCKED}agofis.com
- {BLOCKED}friskcenter.se
- {BLOCKED}a-safaris.com
- {BLOCKED}maroofingllc.com
- {BLOCKED}aremote.com
- {BLOCKED}ekniksipil.com
- {BLOCKED}eaner.fr
- {BLOCKED}.com
- {BLOCKED}.co
- {BLOCKED}enzel.de
- {BLOCKED}sunindo.com
- {BLOCKED}dentalcare.com
- {BLOCKED}onecampaign.com
- {BLOCKED}gsrassismus-entknoten.de
- {BLOCKED}idwifery.com
- {BLOCKED}tus.com
- {BLOCKED}iberie.com
- {BLOCKED}udeboise.com
- {BLOCKED}ontatto.net
- {BLOCKED}sdc.com
- {BLOCKED}net.au
- {BLOCKED}elecompte.wordpress.com
- {BLOCKED}ellezaysalud.com
- {BLOCKED}dzac.com
- {BLOCKED}lor.com
- {BLOCKED}mattswisswatches.ch
- {BLOCKED}aluchesi.it
- {BLOCKED}askildegaard.dk
- {BLOCKED}eyezstripclub.com
- {BLOCKED}ika-schwarz.com
- {BLOCKED}smirrorus.com
- {BLOCKED}lfood-online.de
- {BLOCKED}tion-pro.co.uk
- {BLOCKED}gsregisteret.no
- {BLOCKED}ymus.com
- {BLOCKED}a.it
- {BLOCKED}academy.it
- {BLOCKED}a.ac
- {BLOCKED}ista.de
- {BLOCKED}lerpension.com
- {BLOCKED}econseils.fr
- {BLOCKED}heck.co.za
- {BLOCKED}anmice.com
- {BLOCKED}.eus
- {BLOCKED}ugcleaningnyc.com
- {BLOCKED}se.pl
- {BLOCKED}kapitalforvaltning.dk
- {BLOCKED}rk.nl
- {BLOCKED}rtgallery.jp
- {BLOCKED}affing.com
- {BLOCKED}.fr
- {BLOCKED}graphic.com
- {BLOCKED}erkomon.com
- {BLOCKED}nl
- {BLOCKED}oup.it
- {BLOCKED}ives-sur-vareze.fr
- {BLOCKED}-praxisklinik-rostock.de
- {BLOCKED}opel.ro
- {BLOCKED}eamlast.de
- {BLOCKED}mantova.it
- {BLOCKED}oninthedesert.com
- {BLOCKED}oss163.ru:443
- {BLOCKED}blog.de
- {BLOCKED}ghauri.com
- {BLOCKED}spain.com
- {BLOCKED}flove.org:443
- {BLOCKED}espiritualtamara.com
- {BLOCKED}aycanas.com
- {BLOCKED}ns.com
- {BLOCKED}h
- {BLOCKED}itting-hk.helpergo.co
- {BLOCKED}olics.in
- {BLOCKED}lflot.ru
- {BLOCKED}.ac
- {BLOCKED}a.sk
- {BLOCKED}gismyyoga.com
- {BLOCKED}rl.co.za
- {BLOCKED}umbak.com
- {BLOCKED}stdistinctives.org
- {BLOCKED}ramcfadyenjewelry.com
- {BLOCKED}dentistry.com
- {BLOCKED}inancialservices.com
- {BLOCKED}rienden.nl
- {BLOCKED}oreelite.com
- {BLOCKED}ttoirs.org
- {BLOCKED}s.info
- {BLOCKED}y.com
- {BLOCKED}rivingschool.com.au
- {BLOCKED}y-traveller.com
- {BLOCKED}da.af
- {BLOCKED}siniacademy.org
- {BLOCKED}loripa.be
- {BLOCKED}biz.com
- {BLOCKED}l-partner.de
- {BLOCKED}nllp.com
- {BLOCKED}utter.nl
- {BLOCKED}medical.de
- {BLOCKED}rce.com
- {BLOCKED}czecin.pl
- {BLOCKED}ca.com
- {BLOCKED}ruck.de
- {BLOCKED}s.dk
- {BLOCKED}geflybilletter.dk
- {BLOCKED}cars.net
- {BLOCKED}oart.com
- {BLOCKED}ntify.ai
- {BLOCKED}placemag.com
- {BLOCKED}vanvulpen.nl
- {BLOCKED}it.fr
- {BLOCKED}-optic.com
- {BLOCKED}mp.com
- {BLOCKED}akevision.com
- {BLOCKED}arinefoundation.com
- {BLOCKED}idgeheritage.com
- {BLOCKED}enreich-brilon.de
- {BLOCKED}-pure-impulse.com
- {BLOCKED}150ans.com
- {BLOCKED}indchallenger.com
- {BLOCKED}ochversicherung.info
- {BLOCKED}ia.de
- {BLOCKED}abeachassociation.com
- {BLOCKED}ngwheel.com
- {BLOCKED}rslivinglively.com
- {BLOCKED}hier.org
- {BLOCKED}iendsgoal.site
- {BLOCKED}bornfastigheter.se
- {BLOCKED}k-immobilien.de
- {BLOCKED}luckrecords.com
- {BLOCKED}hebettertolivebetter.com
- {BLOCKED}lcave.com
- {BLOCKED}thillgroup.com
- {BLOCKED}mehope.org
- {BLOCKED}doepke.eu
- {BLOCKED}aneosteopathic.com.au
- {BLOCKED}olisoep.nl
- {BLOCKED}swoodblog.com
- {BLOCKED}immobilier.com
- {BLOCKED}.online
- {BLOCKED}lucious.com
- {BLOCKED}center-butzbach-werbemittel.de
- {BLOCKED}addyblog.com
- {BLOCKED}innikitav.000webhostapp.com
- {BLOCKED}pdeco.site
- {BLOCKED}n.com
- {BLOCKED}bitare.com
- {BLOCKED}zelem.de
- {BLOCKED}ess-basic.de
- {BLOCKED}eakers.com
- {BLOCKED}wo.pl
- {BLOCKED}op.com
- {BLOCKED}40.com
- {BLOCKED}aw-okc.com
- {BLOCKED}nglaforetdetesse.com
- {BLOCKED}sce.com
- {BLOCKED}sescalade.com
- {BLOCKED}010.it
- {BLOCKED}andloyalty.com
- {BLOCKED}l-york.com
- {BLOCKED}ynfriedlander.com
- {BLOCKED}en.sparen-it.de
- {BLOCKED}narosa33.it
- {BLOCKED}odepositors.com
- {BLOCKED}yseurdetransformation.com
- {BLOCKED}up-mag.com
- {BLOCKED}ing.com
- {BLOCKED}perts.de
- {BLOCKED}lec.com
- {BLOCKED}ryvisionglobal.com
- {BLOCKED}nters.com
- {BLOCKED}2019.com
- {BLOCKED}ofhopeeurope.eu
- {BLOCKED}esfrancis.photos
- {BLOCKED}ottelhanna.com
- {BLOCKED}erlin.de
- {BLOCKED}erchatterchatter.com
- {BLOCKED}warehousespace.com
- {BLOCKED}ksy.net
- {BLOCKED}sconsulting.net
- {BLOCKED}-anne.com
- {BLOCKED}tianscholz.de
- {BLOCKED}topherhannan.com
- {BLOCKED}france.fr
- {BLOCKED}nnatiphotocompany.org
- {BLOCKED}ecitydj.com
- {BLOCKED}it-diagramz.com
- {BLOCKED}capes-art.com
- {BLOCKED}ogslife.com
- {BLOCKED}zepamblog.com
- {BLOCKED}iakilian.de
- {BLOCKED}roomequipment.ie
- {BLOCKED}nfoto.dk
- {BLOCKED}c-beethovenstrasse-ag.ch
- {BLOCKED}d.com
- {BLOCKED}.com
- {BLOCKED}preneuracademy.com
- {BLOCKED}getennis.info
- {BLOCKED}ed-shelves.com
- {BLOCKED}erescritor.com
- {BLOCKED}ter-place.de
- {BLOCKED}ntactodirecto.com
- {BLOCKED}rmobile.fr
- {BLOCKED}nn.nl
- {BLOCKED}causes.org
- {BLOCKED}nmarketing.com
- {BLOCKED}racionrr.com
- {BLOCKED}n-avenue.co.il
- {BLOCKED}p.de
- {BLOCKED}ingalegacy.com
- {BLOCKED}ron.com
- {BLOCKED}stone.co.nz
- {BLOCKED}n.de
- {BLOCKED}good.com
- {BLOCKED}lloons.com
- {BLOCKED}mediation.org
- {BLOCKED}.org
- {BLOCKED}discountguns.com
- {BLOCKED}mroasts.com
- {BLOCKED}pany.com
- {BLOCKED}promote.de
- {BLOCKED}.futbol
- {BLOCKED}eranch.com
- {BLOCKED}ri.be
- {BLOCKED}avisphotos.com
- {BLOCKED}stownhouse.com
- {BLOCKED}ne-styling.nl
- {BLOCKED}u.com
- {BLOCKED}n.com
- {BLOCKED}tia.fi
- {BLOCKED}ationhub.com
- {BLOCKED}agfoodie.nl
- {BLOCKED}sverschuur.com
- {BLOCKED}lcircle.com
- {BLOCKED}llabor-luenen.de
- {BLOCKED}urage.com
- {BLOCKED}rwynkoopdentist.com
- {BLOCKED}tempelking.de
- {BLOCKED}rgandoprogramas.com
- {BLOCKED}nimage.ae
- {BLOCKED}us.be
- {BLOCKED}.de
- {BLOCKED}lan.ru
- {BLOCKED}nie-weitramsdorf-sesslach.de
- {BLOCKED}.store
- {BLOCKED}mmo-agentur.de
- {BLOCKED}universiteit.nl
- {BLOCKED}nambulancealkmaar.nl
- {BLOCKED}ale-elite.de
- {BLOCKED}orp.com
- {BLOCKED}rinkdetroit.com
- {BLOCKED}tique.com
- {BLOCKED}tapernambuco.com
- {BLOCKED}ifresh.com
- {BLOCKED}fiestas.com.es
- {BLOCKED}a.com
- {BLOCKED}co.uk
- {BLOCKED}efoundation.org
- {BLOCKED}nlimitedguide.com
- {BLOCKED}ne-des-pothiers.com
- {BLOCKED}ivefurniture.com
- {BLOCKED}-guides.eu
- {BLOCKED}ta.de
- {BLOCKED}veniste.com
- {BLOCKED}anhweeks.com
- {BLOCKED}voiceclub.org
- {BLOCKED}sonpediatrics.com
- {BLOCKED}emakersheerenveen.nl
- {BLOCKED}p.com
- {BLOCKED}er.nl
- {BLOCKED}pro
- {BLOCKED}rinsteadwingchun.com
- {BLOCKED}ental.ae
- {BLOCKED}veges.com
- {BLOCKED}e.co
- {BLOCKED}kennedymacfoy.com
- {BLOCKED}tors.org
- {BLOCKED}iencyconsulting.es
- {BLOCKED}fr
- {BLOCKED}rdanismanlik.com
- {BLOCKED}ricianul.com
- {BLOCKED}is
- {BLOCKED}eramika-shop.com.ua
- {BLOCKED}maccreative.wordpress.com
- {BLOCKED}usnhlstenden.com
- {BLOCKED}nter-p.net
- {BLOCKED}nter-p.net
- {BLOCKED}ssrealms.net
- {BLOCKED}arvation.com
- {BLOCKED}osbit-rp.ru
- {BLOCKED}-qca.com
- {BLOCKED}ctor-durban.com
- {BLOCKED}ask.com
- {BLOCKED}orlogerie.com
- {BLOCKED}apanart.com
- {BLOCKED}driversforwindows.com
- {BLOCKED}.design
- {BLOCKED}iopolitica.com
- {BLOCKED}gz.de
- {BLOCKED}hicsport.eu
- {BLOCKED}osvirtualesexitosos.com
- {BLOCKED}thacademy.org
- {BLOCKED}ra.nl
- {BLOCKED}omes.com
- {BLOCKED}ctordallas.com
- {BLOCKED}riareloj.com
- {BLOCKED}rywizuk.com
- {BLOCKED}ru
- {BLOCKED}i.com.au
- {BLOCKED}online.com
- {BLOCKED}ostar.co
- {BLOCKED}azine.ru
- {BLOCKED}stitutionalfunds.com
- {BLOCKED}itytitleoregon.com
- {BLOCKED}rgo.eu
- {BLOCKED}home.co.uk
- {BLOCKED}space.com
- {BLOCKED}ssblenderstory.com
- {BLOCKED}repair.com
- {BLOCKED}e
- {BLOCKED}moordental.com
- {BLOCKED}ringsun.org
- {BLOCKED}luzrewards.com
- {BLOCKED}kontur.com
- {BLOCKED}erverein-vatterschule.de
- {BLOCKED}times.ru
- {BLOCKED}olinslimeffect.net
- {BLOCKED}sittard.nl
- {BLOCKED}ditores.com
- {BLOCKED}lubna.com
- {BLOCKED}ways.com
- {BLOCKED}myballs.com
- {BLOCKED}shift.it
- {BLOCKED}goll.com
- {BLOCKED}kids.com
- {BLOCKED}c-international.es
- {BLOCKED}2pro.com
- {BLOCKED}rsale.com
- {BLOCKED}almar.se
- {BLOCKED}edia.com
- {BLOCKED}rx.de
- {BLOCKED}nd.ru
- {BLOCKED}enetworking.com
- {BLOCKED}therapierijnmond.nl
- {BLOCKED}iainc.com
- {BLOCKED}oyals.com
- {BLOCKED}iuklaw.com
- {BLOCKED}ee-couture.com
- {BLOCKED}npartner.pl
- {BLOCKED}nburgcottage.com
- {BLOCKED}masters.com
- {BLOCKED}le-du-web.com
- {BLOCKED}p1.de
- {BLOCKED}niatonaggelon.gr
- {BLOCKED}emuncey.com
- {BLOCKED}b.software
- {BLOCKED}sh.ae
- {BLOCKED}kuck.de
- {BLOCKED}e-pflanzenparadies.de
- {BLOCKED}verschueren.be
- {BLOCKED}l-migrate.com
- {BLOCKED}lcompliancenews.com
- {BLOCKED}lskills.pt
- {BLOCKED}bibini.ch
- {BLOCKED}rdleadership.org
- {BLOCKED}inger-teppichreinigung.de
- {BLOCKED}lublandgoednieuwkerk.nl
- {BLOCKED}oyscustom.com
- {BLOCKED}erbalhealth.com
- {BLOCKED}ldeep.com
- {BLOCKED}kstudio-visuell.de
- {BLOCKED}anariaregional.com
- {BLOCKED}ocafeblog.wordpress.com
- {BLOCKED}reenbiomedservices.com
- {BLOCKED}officespaces.net
- {BLOCKED}eyetattoo.com
- {BLOCKED}rider.nl
- {BLOCKED}edealers.ru
- {BLOCKED}exin10.com
- {BLOCKED}cretecoatings.com
- {BLOCKED}jb.fr
- {BLOCKED}dd.com
- {BLOCKED}echnologies.net
- {BLOCKED}-totaal.nl
- {BLOCKED}hlim.com
- {BLOCKED}man-silkeborg.dk
- {BLOCKED}catering.de
- {BLOCKED}lublog.wordpress.com
- {BLOCKED}ystreetspineclinic.com
- {BLOCKED}furniture.com
- {BLOCKED}landliebe.de
- {BLOCKED}isteelbuilding.com
- {BLOCKED}ornsretirement.co.uk
- {BLOCKED}albygg.no
- {BLOCKED}rm.com
- {BLOCKED}eymarketing.com
- {BLOCKED}hopping.com
- {BLOCKED}lland-oaze.nl
- {BLOCKED}nsee-buhne11.de
- {BLOCKED}ruckwreckers.com.au
- {BLOCKED}m.com
- {BLOCKED}.com
- {BLOCKED}ine.de
- {BLOCKED}risor.dk
- {BLOCKED}talitytrainingsolutions.co.uk
- {BLOCKED}letdelsindians.es
- {BLOCKED}stay.com
- {BLOCKED}ngbangladesh.net
- {BLOCKED}tantra.com
- {BLOCKED}turbo.de
- {BLOCKED}paneselesbian.com
- {BLOCKED}sofwa.com
- {BLOCKED}viruses.org
- {BLOCKED}sanitas.dk
- {BLOCKED}style.co.uk
- {BLOCKED}eldt.dk
- {BLOCKED}enforensic.com
- {BLOCKED}chnologies.net
- {BLOCKED}ode.com
- {BLOCKED}rt99.com
- {BLOCKED}lbeton.nl
- {BLOCKED}mus.com
- {BLOCKED}kgod.be
- {BLOCKED}fullcircle.com
- {BLOCKED}historia.com
- {BLOCKED}ne-entertainment.com
- {BLOCKED}nekithomes.co.nz
- {BLOCKED}uku-sozoku.com
- {BLOCKED}bizadvocates.org
- {BLOCKED}star.com
- {BLOCKED}sosextras.online
- {BLOCKED}onf.com
- {BLOCKED}surrection.com
- {BLOCKED}visions-id.com
- {BLOCKED}ationgames-brabant.nl
- {BLOCKED}ationgames-brabant.nl
- {BLOCKED}e.agency
- {BLOCKED}linkone.com
- {BLOCKED}nalresults.com
- {BLOCKED}nestdigital.com
- {BLOCKED}a.dk
- {BLOCKED}r.com
- {BLOCKED}mine.ru
- {BLOCKED}tidigitali.com
- {BLOCKED}oes.dk
- {BLOCKED}acu.com
- {BLOCKED}oekzema.nl
- {BLOCKED}esgarcianoto.com
- {BLOCKED}e
- {BLOCKED}rybak.com
- {BLOCKED}puu.net
- {BLOCKED}williamspainting.com
- {BLOCKED}fokus.com
- {BLOCKED}pest.com
- {BLOCKED}lrardon.com
- {BLOCKED}rgenstern.com
- {BLOCKED}nterim-and-projectmanagement.com
- {BLOCKED}rnitureco.com
- {BLOCKED}nter.com
- {BLOCKED}onti.com
- {BLOCKED}sonalessandro.com
- {BLOCKED}nsultancy.com
- {BLOCKED}attmediations.com
- {BLOCKED}phisme.fr
- {BLOCKED}sonbooks.com
- {BLOCKED}tinezilustrador.com
- {BLOCKED}wi.com.ng
- {BLOCKED}ore.com
- {BLOCKED}omoveamerica.org
- {BLOCKED}oen.com
- {BLOCKED}onweekly.com
- {BLOCKED}tonmingmanning.com
- {BLOCKED}ty.hu
- {BLOCKED}hooley.com
- {BLOCKED}enblaetz.de
- {BLOCKED}lusktherapy.com
- {BLOCKED}roundthecornerpetsit.com
- {BLOCKED}.de
- {BLOCKED}ki.ru
- {BLOCKED}care.com
- {BLOCKED}-somnium.de
- {BLOCKED}injames.com
- {BLOCKED}literviertel.com
- {BLOCKED}indonesia.com
- {BLOCKED}rinealy.com
- {BLOCKED}tte.com
- {BLOCKED}.com
- {BLOCKED}ngatton.com
- {BLOCKED}gordon.com
- {BLOCKED}on.fr
- {BLOCKED}callum.com
- {BLOCKED}callum.com
- {BLOCKED}liedjeszingen.nl
- {BLOCKED}ealprep.academy
- {BLOCKED}n-prijs.nl
- {BLOCKED}ardjournal.com
- {BLOCKED}.com
- {BLOCKED}ttickets.com
- {BLOCKED}ibeaute-nani.com
- {BLOCKED}nvent.ru
- {BLOCKED}-dress.com
- {BLOCKED}esory-opravy.com
- {BLOCKED}pt-m.ru
- {BLOCKED}oo.com
- {BLOCKED}n-vochtbestrijding.be
- {BLOCKED}nabrawijaya.com
- {BLOCKED}ianboennelykke.dk
- {BLOCKED}hold-sjaelland.dk
- {BLOCKED}ersnapsen.dk
- {BLOCKED}os72.com
- {BLOCKED}ro.pro
- {BLOCKED}michalovce.sk
- {BLOCKED}terplakky.nl
- {BLOCKED}hools.ng
- {BLOCKED}oedspica.nl
- {BLOCKED}niasafaris.com
- {BLOCKED}woodmarketing.com
- {BLOCKED}ndbrowenvy.com
- {BLOCKED}crm.com
- {BLOCKED}leacrepes-meaux.fr
- {BLOCKED}lvor.com
- {BLOCKED}swithleslie.com
- {BLOCKED}valentine.com
- {BLOCKED}orensics.com
- {BLOCKED}upremegarcinia.net
- {BLOCKED}erjees.com
- {BLOCKED}ucan.com
- {BLOCKED}dschiess.de
- {BLOCKED}trom.com
- {BLOCKED}pblanc.gr
- {BLOCKED}ldineroux.com
- {BLOCKED}uxbleus.net
- {BLOCKED}topsmoking.co.uk
- {BLOCKED}rscan.de
- {BLOCKED}seven.be
- {BLOCKED}covka.ru
- {BLOCKED}d.com
- {BLOCKED}nes.com
- {BLOCKED}sed-public-adjuster.com
- {BLOCKED}pingsnytt.nu
- {BLOCKED}rtgrafikweb.at
- {BLOCKED}nbreaths.com
- {BLOCKED}rtelyouth.com
- {BLOCKED}nie.com
- {BLOCKED}x.co.uk
- {BLOCKED}rete.com
- {BLOCKED}uilding.life
- {BLOCKED}poncon.fr
- {BLOCKED}esaints.academy
- {BLOCKED}eveloper.com
- {BLOCKED}ai.com
- {BLOCKED}poolabudhabi.ae
- {BLOCKED}ourheartout.co
- {BLOCKED}t.sk
- {BLOCKED}arn.co.uk
- {BLOCKED}industries.com
- {BLOCKED}chiro.com
- {BLOCKED}academy
- {BLOCKED}ndseen.com
- {BLOCKED}nille.se
- {BLOCKED}dager.com
- {BLOCKED}se.com
- {BLOCKED}zuchia.com
- {BLOCKED}nbryan.com
- {BLOCKED}oupe.com
- {BLOCKED}l.it
- {BLOCKED}ro.academy
- {BLOCKED}uno.com
- {BLOCKED}c.com
- {BLOCKED}sburger.fr
- {BLOCKED}alduniya.com
- {BLOCKED}ph.fr
- {BLOCKED}omputer-support-hamburg.de
- {BLOCKED}tvisual.com
- {BLOCKED}nya.net
- {BLOCKED}uchen.com
- {BLOCKED}gmillionaires.net
- {BLOCKED}annye.ru
- {BLOCKED}mattalar.com
- {BLOCKED}enedesigns.com
- {BLOCKED}mirossana.it
- {BLOCKED}l.tn
- {BLOCKED}ndy.com
- {BLOCKED}retmcshane.com
- {BLOCKED}josediazdemera.com
- {BLOCKED}malmahdi.com
- {BLOCKED}nnelemenestrel.com
- {BLOCKED}eymourphotography.co.uk
- {BLOCKED}rabasin.com
- {BLOCKED}a-frets-ceramics.nl
- {BLOCKED}nipstudios.com
- {BLOCKED}irbnb.wordpress.com
- {BLOCKED}ologicos.com
- {BLOCKED}oruzzaofficial.com
- {BLOCKED}ieupetel.fr
- {BLOCKED}be24.com.ua
- {BLOCKED}ogulka.ru
- {BLOCKED}t.dk
- {BLOCKED}ropi.com.br
- {BLOCKED}dinghomes.com
- {BLOCKED}bolmong.com
- {BLOCKED}hub.co.nz
- {BLOCKED}alsupportco.com
- {BLOCKED}giro.com.ar
- {BLOCKED}ishealthandwellness.com
- {BLOCKED}metgesigte.co.za
- {BLOCKED}dodelrio.com
- {BLOCKED}jongeren.nl
- {BLOCKED}lbau-hartmann.eu
- {BLOCKED}lfe.ca
- {BLOCKED}plica.academy
- {BLOCKED}ton.ru
- {BLOCKED}lta.com
- {BLOCKED}elfiegel.com
- {BLOCKED}l-s.co.il
- {BLOCKED}stschool.org
- {BLOCKED}shopping.it
- {BLOCKED}matthies.de
- {BLOCKED}oodfellow.co.uk
- {BLOCKED}irksomhed.dk
- {BLOCKED}muscle.nl
- {BLOCKED}uelers.com
- {BLOCKED}parkescape.com
- {BLOCKED}o.it
- {BLOCKED}igital
- {BLOCKED}.ru
- {BLOCKED}arfil.com
- {BLOCKED}-cristescu.com
- {BLOCKED}e.nl
- {BLOCKED}um.pt
- {BLOCKED}mccarthydesign.com
- {BLOCKED}landscapes.com
- {BLOCKED}arrsoccer.com
- {BLOCKED}nsconsult.com
- {BLOCKED}rosshideout.com
- {BLOCKED}rossplace.co.uk
- {BLOCKED}.nl
- {BLOCKED}ttz.com
- {BLOCKED}.com
- {BLOCKED}org
- {BLOCKED}r.nl
- {BLOCKED}-pieces-auto.fr
- {BLOCKED}pe
- {BLOCKED}ll.de
- {BLOCKED}ngmarketinggroup.com
- {BLOCKED}team.com
- {BLOCKED}ywin3.com
- {BLOCKED}media.de
- {BLOCKED}asmali.net
- {BLOCKED}at-pismo-gubernatoru.ru:443
- {BLOCKED}.net
- {BLOCKED}nnewsroom.com
- {BLOCKED}restaurante.com.br
- {BLOCKED}ip.ru
- {BLOCKED}cmarine.dk
- {BLOCKED}co.uk
- {BLOCKED}ca
- {BLOCKED}l
- {BLOCKED}iamedispa.com
- {BLOCKED}di.be
- {BLOCKED}-pictures.com
- {BLOCKED}ssurecleaning.com
- {BLOCKED}ultere.fr
- {BLOCKED}aruralhousingstudies.org
- {BLOCKED}estop.com
- {BLOCKED}agefinancial.com
- {BLOCKED}.com
- {BLOCKED}rock.com
- {BLOCKED}sindeklas.be
- {BLOCKED}ki.com
- {BLOCKED}com.ua
- {BLOCKED}lla.com
- {BLOCKED}lue.com
- {BLOCKED}sfiloxenia.gr
- {BLOCKED}us.com
- {BLOCKED}well.com.sg
- {BLOCKED}onsigns.com
- {BLOCKED}g.org
- {BLOCKED}yrehospital.dk
- {BLOCKED}cademy.com
- {BLOCKED}k
- {BLOCKED}blog.com
- {BLOCKED}usiness.com
- {BLOCKED}cloisons.fr
- {BLOCKED}marbella.com
- {BLOCKED}ademy.com
- {BLOCKED}rot.com
- {BLOCKED}nergyinternational.com
- {BLOCKED}emarketingsurgery.co.uk
- {BLOCKED}etvgroup.com
- {BLOCKED}tivadigital.com
- {BLOCKED}owebdesign.com
- {BLOCKED}di.com
- {BLOCKED}ahubertruiz.com
- {BLOCKED}as.com
- {BLOCKED}b.net
- {BLOCKED}rdbrickwork.com
- {BLOCKED}e
- {BLOCKED}munity.de
- {BLOCKED}o
- {BLOCKED}ukaruva.com
- {BLOCKED}k.zp.ua
- {BLOCKED}andingminialbums.com
- {BLOCKED}entity.com
- {BLOCKED}me.com
- {BLOCKED}e.live
- {BLOCKED}centraal.nl
- {BLOCKED}us.fr
- {BLOCKED}a.gr
- {BLOCKED}cophilippines.com
- {BLOCKED}nhaus-erfurt.de
- {BLOCKED}ss.ru
- {BLOCKED}onatblago.ru
- {BLOCKED}kapod.com
- {BLOCKED}igmlandscape.com
- {BLOCKED}tsandkids.com
- {BLOCKED}school.ru
- {BLOCKED}ideseniorliving.net
- {BLOCKED}port.com
- {BLOCKED}sociation.com
- {BLOCKED}otcleaning.net
- {BLOCKED}saint-flour.fr
- {BLOCKED}spor.org.tr
- {BLOCKED}nson.com
- {BLOCKED}ggibadan.co.id
- {BLOCKED}buhrambutkeiskei.com
- {BLOCKED}rgreenfarmcatering.com.au
- {BLOCKED}ptdecor.com
- {BLOCKED}ctgrin.com
- {BLOCKED}eko-group.com
- {BLOCKED}ixcrane.com
- {BLOCKED}graphycreativity.co.uk
- {BLOCKED}nag.com
- {BLOCKED}enbepthanhdat.com
- {BLOCKED}o-lang.de
- {BLOCKED}ar.com
- {BLOCKED}green.com
- {BLOCKED}gayvideoawards.com
- {BLOCKED}elook.com
- {BLOCKED}are.co
- {BLOCKED}health.net
- {BLOCKED}rmonticello.com
- {BLOCKED}surance.com
- {BLOCKED}-for-the-soul.ch
- {BLOCKED}onturkiye.com
- {BLOCKED}ine.com
- {BLOCKED}abretagne.bzh
- {BLOCKED}shell.su
- {BLOCKED}setemp.com
- {BLOCKED}er-iowa.com
- {BLOCKED}umweb.com.ua:443
- {BLOCKED}marineengineering.com
- {BLOCKED}amer.pl
- {BLOCKED}ntalblue.com
- {BLOCKED}ction-stills.co.uk
- {BLOCKED}ssionetata.com
- {BLOCKED}teplo.com
- {BLOCKED}bersan.com
- {BLOCKED}z.com
- {BLOCKED}ktparkiet.pl
- {BLOCKED}teyagro.com.ua
- {BLOCKED}s.ca
- {BLOCKED}play.ca
- {BLOCKED}n.com
- {BLOCKED}compserver.de
- {BLOCKED}lements.nl
- {BLOCKED}reprod4.com
- {BLOCKED}n-reinigen.com
- {BLOCKED}ambv.nl
- {BLOCKED}.it
- {BLOCKED}musiccenter.com
- {BLOCKED}nternational.com
- {BLOCKED}tube.net
- {BLOCKED}scorting.com
- {BLOCKED}oach.com
- {BLOCKED}ietsenblog.nl
- {BLOCKED}hallgood.com
- {BLOCKED}lightmusic.com
- {BLOCKED}ezprono.com
- {BLOCKED}abrown.com
- {BLOCKED}5kloan.org
- {BLOCKED}oods.ro
- {BLOCKED}nwarehouse.co.uk
- {BLOCKED}e-webzine.nl
- {BLOCKED}enplicht.be
- {BLOCKED}ei.co
- {BLOCKED}bblephotography.com
- {BLOCKED}nmetkinderen.be
- {BLOCKED}antonline.eu
- {BLOCKED}e.kz
- {BLOCKED}rbox.ch
- {BLOCKED}artman.nl
- {BLOCKED}ngwell.com
- {BLOCKED}portsequip.com
- {BLOCKED}ation-medical.online
- {BLOCKED}oup.pt
- {BLOCKED}-storage.co.uk
- {BLOCKED}-turf.com
- {BLOCKED}rdiv.com
- {BLOCKED}rdkershawwines.co.za
- {BLOCKED}rdmaybury.co.uk
- {BLOCKED}nmattgarage.ch
- {BLOCKED}gmbh.com
- {BLOCKED}gangoly.com
- {BLOCKED}music.nl
- {BLOCKED}akatjaya.com
- {BLOCKED}etalk.com
- {BLOCKED}epollee.com
- {BLOCKED}dhendriks.nl
- {BLOCKED}lyn.com
- {BLOCKED}mattonecase.it
- {BLOCKED}ta.com
- {BLOCKED}nmark.dk
- {BLOCKED}signs.com
- {BLOCKED}.com
- {BLOCKED}udiology.com
- {BLOCKED}star.ch
- {BLOCKED}star.ch
- {BLOCKED}e.com
- {BLOCKED}concrete.com
- {BLOCKED}oxtel.uk
- {BLOCKED}inchiuk.com
- {BLOCKED}-malo-developpement.fr
- {BLOCKED}lamar.nl
- {BLOCKED}glow.com
- {BLOCKED}stoy.store
- {BLOCKED}spics.co.uk
- {BLOCKED}log.org
- {BLOCKED}biznes.com
- {BLOCKED}ag
- {BLOCKED}edlair.com
- {BLOCKED}gbohrmaschinetests.com
- {BLOCKED}esseldienste-hannover.de
- {BLOCKED}arquotes.com
- {BLOCKED}ederschoembs.com
- {BLOCKED}z-moelln.de
- {BLOCKED}ech.academy
- {BLOCKED}andsroute66.co.uk
- {BLOCKED}rinderpt.com
- {BLOCKED}ts-clubs.co.uk
- {BLOCKED}ted-minds.de
- {BLOCKED}hewrightway.com
- {BLOCKED}nalbrightdds.com
- {BLOCKED}salemap.com
- {BLOCKED}ysspices.com
- {BLOCKED}kingplanet.com
- {BLOCKED}media.de
- {BLOCKED}dedenroth.dk
- {BLOCKED}ight.com
- {BLOCKED}rbird.dk
- {BLOCKED}eitsolutions.ch
- {BLOCKED}etonfinancial.com
- {BLOCKED}markkit.com.br
- {BLOCKED}.org
- {BLOCKED}iping.de
- {BLOCKED}eeper.li
- {BLOCKED}ynski.eu
- {BLOCKED}prome.eu
- {BLOCKED}pi.fi
- {BLOCKED}undnutrition.co.uk
- {BLOCKED}anner.ro
- {BLOCKED}events.be
- {BLOCKED}nmakerszwijndrecht.nl
- {BLOCKED}pinner.com
- {BLOCKED}ercashsystem.com
- {BLOCKED}mind.net
- {BLOCKED}speak.com
- {BLOCKED}tourism.academy
- {BLOCKED}workplaza.com
- {BLOCKED}ge.fr
- {BLOCKED}-okna23.ru
- {BLOCKED}hosting.nl
- {BLOCKED}ibrerie.it
- {BLOCKED}ionshosting.co.uk
- {BLOCKED}ni.ch
- {BLOCKED}seeing.net
- {BLOCKED}bel.be
- {BLOCKED}amovers.com
- {BLOCKED}audible.com
- {BLOCKED}altyhomeservicesllc.com
- {BLOCKED}amarketingdigital.com.br
- {BLOCKED}erei-hannover.de
- {BLOCKED}llo.nl
- {BLOCKED}tats.com
- {BLOCKED}gfieldplumbermo.com
- {BLOCKED}tcoach.com
- {BLOCKED}me.com
- {BLOCKED}lisateur.fr
- {BLOCKED}-infirmier.fr
- {BLOCKED}fxinc.com
- {BLOCKED}eyqualitysystems.com
- {BLOCKED}uplive.org
- {BLOCKED}moulis.gr
- {BLOCKED}h-n-bitch.com
- {BLOCKED}ridgemontessori.com
- {BLOCKED}sund-ansichten.de
- {BLOCKED}chs-wanderlust.info
- {BLOCKED}sreliefadvice.com
- {BLOCKED}gnosis.academy
- {BLOCKED}onumerik.fr
- {BLOCKED}ercy.fr
- {BLOCKED}rd.com
- {BLOCKED}sscolony.com.ng
- {BLOCKED}sartemis.gr
- {BLOCKED}lutions.es
- {BLOCKED}njoen.fi
- {BLOCKED}carhire.co.uk
- {BLOCKED}ulberg.de
- {BLOCKED}z.fr
- {BLOCKED}h-made.com
- {BLOCKED}oregreenapts.com
- {BLOCKED}devries.com
- {BLOCKED}thers.com
- {BLOCKED}-geldvergleich.de
- {BLOCKED}ek.com
- {BLOCKED}virginia.com
- {BLOCKED}nakopieva.ru
- {BLOCKED}nkartano.fi
- {BLOCKED}.co.uk
- {BLOCKED}nia-conseil.fr
- {BLOCKED}egeln.ch
- {BLOCKED}bash.com
- {BLOCKED}ados.com
- {BLOCKED}inadaydentalimplants.com
- {BLOCKED}hebell.website
- {BLOCKED}flair.de
- {BLOCKED}atonarim.com
- {BLOCKED}teleachat.fr
- {BLOCKED}tjavertailut.net
- {BLOCKED}eble.pl
- {BLOCKED}radio.de
- {BLOCKED}scan.org
- {BLOCKED}eauty-guides.com
- {BLOCKED}upboard.co.uk
- {BLOCKED}week-diet.net
- {BLOCKED}hquestion.com
- {BLOCKED}er-lueneburg.de
- {BLOCKED}re-embellie.fr
- {BLOCKED}ardroomafrica.com
- {BLOCKED}tawaycollective.com
- {BLOCKED}inningmanmusical.com
- {BLOCKED}vecounsellingpractice.co.uk
- {BLOCKED}tellect.edu.pk
- {BLOCKED}lpa.com
- {BLOCKED}xelfairy.com
- {BLOCKED}pybusinessacademy.com
- {BLOCKED}lkroadny.com
- {BLOCKED}udio.academy
- {BLOCKED}operez.com
- {BLOCKED}rettyhair.com
- {BLOCKED}nechic.com
- {BLOCKED}eeke.de
- {BLOCKED}toinsurers.net
- {BLOCKED}jesti.net
- {BLOCKED}jtuition.org
- {BLOCKED}backofthemoon.com
- {BLOCKED}root.co
- {BLOCKED}navigator.ch
- {BLOCKED}iumacademy.com
- {BLOCKED}ware.com
- {BLOCKED}dolhealth.com
- {BLOCKED}ifer.fr
- {BLOCKED}-vl.ru
- {BLOCKED}lete.com
- {BLOCKED}ettabordeaux.fr
- {BLOCKED}ettagaite.fr
- {BLOCKED}elsguide.dk
- {BLOCKED}g.academy
- {BLOCKED}acks.com
- {BLOCKED}ekansenloket.nl
- {BLOCKED}u
- {BLOCKED}rance.fr
- {BLOCKED}dmag.com
- {BLOCKED}atelifesource.com
- {BLOCKED}therapy.site
- {BLOCKED}soredhentaigif.com
- {BLOCKED}lored.gr
- {BLOCKED}aw-narty.pl
- {BLOCKED}rselle.fr
- {BLOCKED}sacteur.fr
- {BLOCKED}nt-voice.com
- {BLOCKED}no.fr
- {BLOCKED}24.online
- {BLOCKED}gaard.dk
- {BLOCKED}enessa.com
- {BLOCKED}uwingsdouche.nl
- {BLOCKED}rvictoria.com
- {BLOCKED}rrental.ae
- {BLOCKED}iaecoturismo.com.br
- {BLOCKED}mmcosta.com
- {BLOCKED}alhoogeveen.nl
- {BLOCKED}2biz.com
- {BLOCKED}.plus
- {BLOCKED}.com
- {BLOCKED}urray.com
- {BLOCKED}lowersandrakes.com
- {BLOCKED}rman.es
- {BLOCKED}derland.nl
- {BLOCKED}sale.biz
- {BLOCKED}5.com
- {BLOCKED}rsites.com
- {BLOCKED}ngceremonieswithtim.com
- {BLOCKED}ecustomers.fr
- {BLOCKED}eugtrolley.net
- {BLOCKED}iligenstadt.de
- {BLOCKED}ingcrane.com
- {BLOCKED}ndgo.hu
- {BLOCKED}essenreden.com
- {BLOCKED}z.pl
- {BLOCKED}ress.idium.no
- {BLOCKED}proskitour.com
- {BLOCKED}azil.com
- {BLOCKED}titute.org
- {BLOCKED}orest.net
- {BLOCKED}0abehgab4ak0ddz.xn--p1ai
- {BLOCKED}0addfr4ahr.dp.ua
- {BLOCKED}illigafrgpatroner-stb.se
- {BLOCKED}iinoapte-6ld.ro
- {BLOCKED}ources.com
- {BLOCKED}ifi.com
- {BLOCKED}ka.ru
- {BLOCKED}anprimaunggul.org
- {BLOCKED}erysalonsoho.com:443
- {BLOCKED}qchicken.ca
- {BLOCKED}osmicbeing.com
- {BLOCKED}appyevents.fr
- {BLOCKED}extshoes.com
- {BLOCKED}henghotel.com
- {BLOCKED}oin-aquarelles.fr
- {BLOCKED}tana.com
- {BLOCKED}ieszczecin.pl
- {BLOCKED}on.ae
- {BLOCKED}k.com
- {BLOCKED}k.com
- {BLOCKED}k.com
- {BLOCKED}star.com
- {BLOCKED}oerderijravensbosch.nl
- {BLOCKED}ch-umzug.ch
- {BLOCKED}tkuyutemel.com
- {BLOCKED}zwemofficial.nl
- wp-content
- include
- content
- uploads
- static
- admin
- data
- news
- images
- pictures
- image
- temp
- tmp
- graphic
- assets
- pics
- jpg
- png
- gif
ランサムウェアの不正活動
マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。
- File Extensions:
- theme
- shs
- ico
- hlp
- msu
- rtp
- msstyles
- diagcab
- lock
- rom
- ics
- cur
- prf
- icns
- bat
- cmd
- nls
- deskthemepack
- com
- ldf
- icl
- mpa
- ps1
- key
- diagcfg
- idx
- ocx
- drv
- ani
- cpl
- diagpkg
- adv
- sys
- scr
- dll
- exe
- cab
- msp
- 386
- hta
- lnk
- wpx
- nomedia
- mod
- msi
- msc
- bin
- themepack
- spl
- File Name:
- boot.ini
- ntuser.dat.lo
- desktop.ini
- ntuser.dat
- bootsect.bak
- ntldr
- autorun.inf
- iconcache.db
- ntuser.ini
- thumbs.db
- bootfont.bin
マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。
- intel
- $windows.~bt
- program files (x86)
- mozilla
- $windows.~ws
- msocache
- windows.old
- perflogs
- system volume information
- $recycle.bin
- programdata
- application data
- windows
- appdata
- boot
- program files
- tor browser
マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。
- .{random characters}
マルウェアが作成する以下のファイルは、脅迫状です。
- {encrypted folder}\{appended ransom extension}-readme.txt
マルウェアは、以下の内容を含む脅迫状のテキストファイルを残します。
対応方法
対応検索エンジン: 9.850
初回 VSAPI パターンバージョン 15.230.03
初回 VSAPI パターンリリース日 2019年7月12日
VSAPI OPR パターンバージョン 15.231.00
VSAPI OPR パターンリリース日 2019年7月13日
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 3
「Ransom.Win32.SODINOKIBI.THGAAAI」で検出したファイル名を確認し、そのファイルを終了します。
[ 詳細 ]
- すべての実行中プロセスが、Windows のタスクマネージャに表示されない場合があります。この場合、"Process Explorer" などのツールを使用しマルウェアのファイルを終了してください。"Process Explorer" については、こちらをご参照下さい。
- 検出ファイルが、Windows のタスクマネージャまたは "Process Explorer" に表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
セーフモードについては、こちらをご参照下さい。 - 検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。
手順 4
以下のファイルを検索し削除します。
[ 詳細 ]
コンポーネントファイルが隠しファイル属性の場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。 - %User Temp%\{random characters}.bmp
- {encrypted folder}\{appended ransom extension}-readme.txt
手順 5
不明なレジストリキーを削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- HKEY_CURRENT_USER\Software\QtProject\OrganizationDefaults
- HKEY_CURRENT_USER\Software\QtProject\
手順 6
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Ransom.Win32.SODINOKIBI.THGAAAI」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 7
デスクトッププロパティを修正します。
[ 詳細 ]
ご利用はいかがでしたか? アンケートにご協力ください