Ransom.Win32.SODINOKIBI.THGAOAIA
Trojan-Ransom.Sodinokibi (Ikarus)
Windows
マルウェアタイプ:
身代金要求型不正プログラム(ランサムウェア)
破壊活動の有無:
なし
暗号化:
はい
感染報告の有無 :
はい
概要
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
詳細
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のファイルを作成します。
- {encrypted folder}\{random characters}.lock -> marker for encrypted folders
- %User Temp%\{random characters}.bmp -> ransom wallpaper
- {encrypted folder}\{appended ransom extension}-readme.txt -> ransom note
(註:%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。)
マルウェアは、以下のプロセスを追加します。
- vssadmin.exe Delete Shadows /All /Quiet -> deletes shadow copies
- bcdedit /set {default} recoveryenabled No -> disables startup repair
- bcdedit /set {default} bootstatuspolicy ignoreallfailures -> disables windows error recovery
マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。
- Global\D382D713-AA87-457D-DDD3-C3DDD8DFBC96
他のシステム変更
マルウェアは、以下のレジストリキーを追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\recfg
マルウェアは、インストールの過程で、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\SOFTWARE\recfg
pk_key = {hex values}
HKEY_LOCAL_MACHINE\SOFTWARE\recfg
sk_key = {hex values}
HKEY_LOCAL_MACHINE\SOFTWARE\recfg
0_key = {hex values}
HKEY_LOCAL_MACHINE\SOFTWARE\recfg
rnd_ext = {appended ransom extension}
HKEY_LOCAL_MACHINE\SOFTWARE\recfg
stat = {hex values}
マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。
プロセスの終了
マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。
- mysql.exe
情報漏えい
マルウェアは、以下の情報を収集します。
- Computer name
- User name
- Workgroup
- Processor
- Operating System
- System Architecture
情報収集
マルウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。
- https://{domain}/{string 1}/{string 2}/{random characters}.{string 3}
- {domain}:
- {BLOCKED}1.{BLOCKED}n.ua
- {BLOCKED}stdelray.com
- {BLOCKED}s.com
- {BLOCKED}ndsight.info
- {BLOCKED}bs.com
- {BLOCKED}pt.com
- {BLOCKED}ors.com
- {BLOCKED}entuan.com
- {BLOCKED}r.com
- {BLOCKED}enartwalk.org
- {BLOCKED}ov.com
- {BLOCKED}uppe.ch
- {BLOCKED}rime.com
- {BLOCKED}abalhos.com
- {BLOCKED}emmobil.com.tr
- {BLOCKED}mputers.com
- {BLOCKED}shstudio.co.uk
- {BLOCKED}terroristwarningcompany.com
- {BLOCKED}consultingcompany.com
- {BLOCKED}le.org
- {BLOCKED}a.info
- {BLOCKED}ign.com
- {BLOCKED}um.com
- {BLOCKED}edeyecare.com
- {BLOCKED}ed-removals.co.uk
- {BLOCKED}e-refle.com
- {BLOCKED}a.com
- {BLOCKED}rejserallinclusive.dk
- {BLOCKED}emsehondenschool.be
- {BLOCKED}assemble.fr
- {BLOCKED}who-aixenprovence.fr
- {BLOCKED}twentytwenty.com
- {BLOCKED}collectivites.com
- {BLOCKED}rm.dk
- {BLOCKED}rismocastagneto.it
- {BLOCKED}oftladders.co.uk
- {BLOCKED}ge.com
- {BLOCKED}ublishing.co.uk
- {BLOCKED}viceunlimited.com
- {BLOCKED}ourbarrier.com
- {BLOCKED}gofis.com
- {BLOCKED}riskcenter.se
- {BLOCKED}-safaris.com
- {BLOCKED}aroofingllc.com
- {BLOCKED}remote.com
- {BLOCKED}kniksipil.com
- {BLOCKED}aner.fr
- {BLOCKED}e.com
- {BLOCKED}e.co
- {BLOCKED}nzel.de
- {BLOCKED}unindo.com
- {BLOCKED}entalcare.com
- {BLOCKED}necampaign.com
- {BLOCKED}srassismus-entknoten.de
- {BLOCKED}dwifery.com
- {BLOCKED}us.com
- {BLOCKED}berie.com
- {BLOCKED}deboise.com
- {BLOCKED}ntatto.net
- {BLOCKED}dc.com
- {BLOCKED}o.net.au
- {BLOCKED}lecompte.wordpress.com
- {BLOCKED}llezaysalud.com
- {BLOCKED}zac.com
- {BLOCKED}or.com
- {BLOCKED}attswisswatches.ch
- {BLOCKED}luchesi.it
- {BLOCKED}skildegaard.dk
- {BLOCKED}yezstripclub.com
- {BLOCKED}ka-schwarz.com
- {BLOCKED}mirrorus.com
- {BLOCKED}food-online.de
- {BLOCKED}ion-pro.co.uk
- {BLOCKED}sregisteret.no
- {BLOCKED}mus.com
- {BLOCKED}a.it
- {BLOCKED}cademy.it
- {BLOCKED}a.ac
- {BLOCKED}sta.de
- {BLOCKED}erpension.com
- {BLOCKED}conseils.fr
- {BLOCKED}eck.co.za
- {BLOCKED}nmice.com
- {BLOCKED}i.eus
- {BLOCKED}gcleaningnyc.com
- {BLOCKED}e.pl
- {BLOCKED}apitalforvaltning.dk
- {BLOCKED}k.nl
- {BLOCKED}tgallery.jp
- {BLOCKED}ffing.com
- {BLOCKED}g.fr
- {BLOCKED}raphic.com
- {BLOCKED}rkomon.com
- {BLOCKED}a.nl
- {BLOCKED}up.it
- {BLOCKED}ves-sur-vareze.fr
- {BLOCKED}praxisklinik-rostock.de
- {BLOCKED}pel.ro
- {BLOCKED}amlast.de
- avis.{BLOCKED}a.it
- {BLOCKED}ninthedesert.com
- {BLOCKED}ss163.ru:443
- {BLOCKED}log.de
- {BLOCKED}hauri.com
- {BLOCKED}pain.com
- {BLOCKED}love.org:443
- {BLOCKED}spiritualtamara.com
- {BLOCKED}ycanas.com
- {BLOCKED}s.com
- {BLOCKED}erwork.eu
- {BLOCKED}b.ch
- {BLOCKED}tting-hk.helpergo.co
- {BLOCKED}lics.in
- {BLOCKED}flot.ru
- {BLOCKED}a.ac
- {BLOCKED}a.sk
- {BLOCKED}ismyyoga.com
- {BLOCKED}rl.co.za
- {BLOCKED}mbak.com
- {BLOCKED}tdistinctives.org
- {BLOCKED}amcfadyenjewelry.com
- {BLOCKED}entistry.com
- {BLOCKED}nancialservices.com
- {BLOCKED}ienden.nl
- {BLOCKED}reelite.com
- {BLOCKED}toirs.org
- {BLOCKED}s.info
- {BLOCKED}y.com
- {BLOCKED}ivingschool.com.au
- {BLOCKED}-traveller.com
- {BLOCKED}a.af
- {BLOCKED}iniacademy.org
- {BLOCKED}oripa.be
- {BLOCKED}iz.com
- {BLOCKED}-partner.de
- {BLOCKED}llp.com
- {BLOCKED}tter.nl
- {BLOCKED}edical.de
- {BLOCKED}ce.com
- bg.{BLOCKED}in.pl
- {BLOCKED}a.com
- {BLOCKED}uck.de
- {BLOCKED}s.dk
- {BLOCKED}eflybilletter.dk
- {BLOCKED}ars.net
- {BLOCKED}art.com
- {BLOCKED}tify.ai
- {BLOCKED}lacemag.com
- {BLOCKED}anvulpen.nl
- {BLOCKED}t.fr
- {BLOCKED}optic.com
- {BLOCKED}p.com
- {BLOCKED}kevision.com
- {BLOCKED}rinefoundation.com
- {BLOCKED}dgeheritage.com
- {BLOCKED}nreich-brilon.de
- {BLOCKED}pure-impulse.com
- {BLOCKED}50ans.com
- {BLOCKED}ndchallenger.com
- {BLOCKED}chversicherung.info
- {BLOCKED}a.de
- {BLOCKED}beachassociation.com
- {BLOCKED}gwheel.com
- {BLOCKED}slivinglively.com
- {BLOCKED}ier.org
- {BLOCKED}endsgoal.site
- {BLOCKED}ornfastigheter.se
- {BLOCKED}-immobilien.de
- {BLOCKED}uckrecords.com
- {BLOCKED}ebettertolivebetter.com
- {BLOCKED}cave.com
- {BLOCKED}hillgroup.com
- {BLOCKED}ehope.org
- {BLOCKED}oepke.eu
- {BLOCKED}neosteopathic.com.au
- {BLOCKED}lisoep.nl
- {BLOCKED}woodblog.com
- {BLOCKED}mmobilier.com
- {BLOCKED}t.online
- {BLOCKED}ucious.com
- {BLOCKED}enter-butzbach-werbemittel.de
- {BLOCKED}ddyblog.com
- {BLOCKED}nnikitav.000webhostapp.com
- {BLOCKED}deco.site
- {BLOCKED}n.com
- {BLOCKED}itare.com
- {BLOCKED}elem.de
- {BLOCKED}ss-basic.de
- {BLOCKED}akers.com
- {BLOCKED}o.pl
- {BLOCKED}0.com
- {BLOCKED}w-okc.com
- {BLOCKED}glaforetdetesse.com
- {BLOCKED}ce.com
- {BLOCKED}escalade.com
- {BLOCKED}10.it
- {BLOCKED}ndloyalty.com
- {BLOCKED}-york.com
- {BLOCKED}nfriedlander.com
- {BLOCKED}n.sparen-it.de
- {BLOCKED}arosa33.it
- {BLOCKED}depositors.com
- {BLOCKED}seurdetransformation.com
- {BLOCKED}p-mag.com
- {BLOCKED}ng.com
- {BLOCKED}erts.de
- {BLOCKED}ec.com
- {BLOCKED}yvisionglobal.com
- {BLOCKED}ters.com
- {BLOCKED}019.com
- {BLOCKED}fhopeeurope.eu
- {BLOCKED}sfrancis.photos
- {BLOCKED}ttelhanna.com
- {BLOCKED}rlin.de
- {BLOCKED}rchatterchatter.com
- {BLOCKED}arehousespace.com
- {BLOCKED}sy.net
- {BLOCKED}consulting.net
- {BLOCKED}anne.com
- {BLOCKED}ianscholz.de
- {BLOCKED}opherhannan.com
- {BLOCKED}rance.fr
- {BLOCKED}natiphotocompany.org
- {BLOCKED}citydj.com
- {BLOCKED}t-diagramz.com
- {BLOCKED}apes-art.com
- {BLOCKED}gslife.com
- {BLOCKED}epamblog.com
- {BLOCKED}akilian.de
- {BLOCKED}oomequipment.ie
- {BLOCKED}foto.dk
- {BLOCKED}-beethovenstrasse-ag.ch
- {BLOCKED}d.com
- {BLOCKED}w.com
- {BLOCKED}reneuracademy.com
- {BLOCKED}etennis.info
- {BLOCKED}d-shelves.com
- {BLOCKED}rescritor.com
- {BLOCKED}er-place.de
- {BLOCKED}tactodirecto.com
- {BLOCKED}mobile.fr
- {BLOCKED}n.nl
- {BLOCKED}auses.org
- {BLOCKED}marketing.com
- {BLOCKED}acionrr.com
- {BLOCKED}-avenue.co.il
- {BLOCKED}p.de
- {BLOCKED}ngalegacy.com
- {BLOCKED}on.com
- {BLOCKED}tone.co.nz
- {BLOCKED}n.de
- {BLOCKED}ood.com
- {BLOCKED}loons.com
- {BLOCKED}p.com
- {BLOCKED}ediation.org
- {BLOCKED}c.org
- {BLOCKED}iscountguns.com
- {BLOCKED}roasts.com
- {BLOCKED}any.com
- {BLOCKED}romote.de
- {BLOCKED}u.futbol
- {BLOCKED}ranch.com
- {BLOCKED}i.be
- {BLOCKED}visphotos.com
- {BLOCKED}townhouse.com
- {BLOCKED}e-styling.nl
- {BLOCKED}u.com
- {BLOCKED}n.com
- {BLOCKED}ia.fi
- {BLOCKED}tionhub.com
- {BLOCKED}gfoodie.nl
- {BLOCKED}verschuur.com
- {BLOCKED}circle.com
- {BLOCKED}labor-luenen.de
- {BLOCKED}rage.com
- {BLOCKED}wynkoopdentist.com
- {BLOCKED}empelking.de
- {BLOCKED}gandoprogramas.com
- {BLOCKED}image.ae
- {BLOCKED}s.be
- {BLOCKED}s.de
- {BLOCKED}an.ru
- {BLOCKED}ie-weitramsdorf-sesslach.de
- {BLOCKED}i.store
- {BLOCKED}niversiteit.nl
- {BLOCKED}mo-agentur.de
- {BLOCKED}ambulancealkmaar.nl
- {BLOCKED}le-elite.de
- {BLOCKED}rp.com
- {BLOCKED}inkdetroit.com
- {BLOCKED}ique.com
- {BLOCKED}apernambuco.com
- {BLOCKED}fresh.com
- {BLOCKED}iestas.com.es
- {BLOCKED}a.com
- {BLOCKED}a.co.uk
- {BLOCKED}foundation.org
- {BLOCKED}limitedguide.com
- {BLOCKED}e-des-pothiers.com
- {BLOCKED}vefurniture.com
- {BLOCKED}guides.eu
- {BLOCKED}eniste.com
- {BLOCKED}nhweeks.com
- {BLOCKED}oiceclub.org
- {BLOCKED}onpediatrics.com
- {BLOCKED}makersheerenveen.nl
- {BLOCKED}a.de
- {BLOCKED}p.com
- {BLOCKED}er.nl
- {BLOCKED}x.pro
- {BLOCKED}insteadwingchun.com
- {BLOCKED}ntal.ae
- {BLOCKED}eges.com
- {BLOCKED}e.co
- {BLOCKED}ennedymacfoy.com
- {BLOCKED}ors.org
- {BLOCKED}encyconsulting.es
- {BLOCKED}u.fr
- {BLOCKED}danismanlik.com
- {BLOCKED}icianul.com
- {BLOCKED}x.is
- {BLOCKED}ramika-shop.com.ua
- {BLOCKED}accreative.wordpress.com
- {BLOCKED}snhlstenden.com
- {BLOCKED}ter-p.net
- {BLOCKED}ter-p.net
- {BLOCKED}srealms.net
- {BLOCKED}rvation.com
- {BLOCKED}sbit-rp.ru
- {BLOCKED}qca.com
- {BLOCKED}tor-durban.com
- {BLOCKED}sk.com
- {BLOCKED}rlogerie.com
- {BLOCKED}panart.com
- {BLOCKED}riversforwindows.com
- {BLOCKED}p.design
- {BLOCKED}opolitica.com
- {BLOCKED}z.de
- {BLOCKED}icsport.eu
- {BLOCKED}svirtualesexitosos.com
- {BLOCKED}hacademy.org
- {BLOCKED}a.nl
- {BLOCKED}mes.com
- {BLOCKED}tordallas.com
- {BLOCKED}iareloj.com
- {BLOCKED}ywizuk.com
- {BLOCKED}n.ru
- {BLOCKED}i.com.au
- {BLOCKED}nline.com
- {BLOCKED}star.co
- {BLOCKED}zine.ru
- {BLOCKED}tytitleoregon.com
- {BLOCKED}titutionalfunds.com
- {BLOCKED}go.eu
- {BLOCKED}ome.co.uk
- {BLOCKED}pace.com
- {BLOCKED}sblenderstory.com
- {BLOCKED}epair.com
- {BLOCKED}a.se
- {BLOCKED}oordental.com
- {BLOCKED}ingsun.org
- {BLOCKED}uzrewards.com
- {BLOCKED}ontur.com
- {BLOCKED}rverein-vatterschule.de
- {BLOCKED}imes.ru
- {BLOCKED}linslimeffect.net
- {BLOCKED}ittard.nl
- {BLOCKED}itores.com
- {BLOCKED}ubna.com
- {BLOCKED}ays.com
- {BLOCKED}yballs.com
- {BLOCKED}hift.it
- {BLOCKED}oll.com
- {BLOCKED}ids.com
- {BLOCKED}-international.es
- {BLOCKED}pro.com
- {BLOCKED}sale.com
- {BLOCKED}lmar.se
- {BLOCKED}dia.com
- {BLOCKED}x.de
- {BLOCKED}d.ru
- {BLOCKED}networking.com
- {BLOCKED}herapierijnmond.nl
- {BLOCKED}ainc.com
- {BLOCKED}yals.com
- {BLOCKED}uklaw.com
- {BLOCKED}e-couture.com
- {BLOCKED}partner.pl
- {BLOCKED}burgcottage.com
- {BLOCKED}asters.com
- {BLOCKED}e-du-web.com
- {BLOCKED}1.de
- {BLOCKED}iatonaggelon.gr
- {BLOCKED}muncey.com
- {BLOCKED}b.software
- {BLOCKED}h.ae
- {BLOCKED}uck.de
- {BLOCKED}-pflanzenparadies.de
- {BLOCKED}erschueren.be
- {BLOCKED}compliancenews.com
- {BLOCKED}-migrate.com
- {BLOCKED}skills.pt
- go.{BLOCKED}ni.ch
- {BLOCKED}dleadership.org
- {BLOCKED}nger-teppichreinigung.de
- {BLOCKED}ublandgoednieuwkerk.nl
- {BLOCKED}yscustom.com
- {BLOCKED}rbalhealth.com
- {BLOCKED}deep.com
- {BLOCKED}studio-visuell.de
- {BLOCKED}nariaregional.com
- {BLOCKED}cafeblog.wordpress.com
- {BLOCKED}eenbiomedservices.com
- {BLOCKED}fficespaces.net
- {BLOCKED}yetattoo.com
- {BLOCKED}ider.nl
- {BLOCKED}dealers.ru
- {BLOCKED}xin10.com
- {BLOCKED}retecoatings.com
- {BLOCKED}b.fr
- {BLOCKED}d.com
- {BLOCKED}chnologies.net
- {BLOCKED}totaal.nl
- {BLOCKED}lim.com
- {BLOCKED}an-silkeborg.dk
- {BLOCKED}atering.de
- {BLOCKED}ublog.wordpress.com
- {BLOCKED}streetspineclinic.com
- {BLOCKED}urniture.com
- {BLOCKED}andliebe.de
- {BLOCKED}steelbuilding.com
- {BLOCKED}rnsretirement.co.uk
- {BLOCKED}lbygg.no
- {BLOCKED}m.com
- {BLOCKED}ymarketing.com
- {BLOCKED}opping.com
- {BLOCKED}land-oaze.nl
- {BLOCKED}see-buhne11.de
- {BLOCKED}uckwreckers.com.au
- {BLOCKED}m.com
- {BLOCKED}s.com
- {BLOCKED}ne.de
- {BLOCKED}isor.dk
- {BLOCKED}alitytrainingsolutions.co.uk
- {BLOCKED}etdelsindians.es
- {BLOCKED}tay.com
- {BLOCKED}gbangladesh.net
- {BLOCKED}antra.com
- {BLOCKED}urbo.de
- {BLOCKED}aneselesbian.com
- {BLOCKED}ofwa.com
- {BLOCKED}iruses.org
- {BLOCKED}anitas.dk
- {BLOCKED}tyle.co.uk
- {BLOCKED}ldt.dk
- {BLOCKED}nforensic.com
- {BLOCKED}hnologies.net
- {BLOCKED}de.com
- {BLOCKED}t99.com
- {BLOCKED}beton.nl
- {BLOCKED}us.com
- {BLOCKED}god.be
- {BLOCKED}ullcircle.com
- {BLOCKED}istoria.com
- {BLOCKED}e-entertainment.com
- {BLOCKED}ekithomes.co.nz
- {BLOCKED}ku-sozoku.com
- {BLOCKED}izadvocates.org
- {BLOCKED}tar.com
- {BLOCKED}osextras.online
- {BLOCKED}nf.com
- {BLOCKED}urrection.com
- {BLOCKED}isions-id.com
- {BLOCKED}tiongames-brabant.nl
- {BLOCKED}tiongames-brabant.nl
- {BLOCKED}e.agency
- {BLOCKED}inkone.com
- {BLOCKED}alresults.com
- {BLOCKED}estdigital.com
- {BLOCKED}a.dk
- {BLOCKED}r.com
- {BLOCKED}ine.ru
- {BLOCKED}idigitali.com
- {BLOCKED}es.dk
- {BLOCKED}cu.com
- {BLOCKED}ekzema.nl
- {BLOCKED}sgarcianoto.com
- {BLOCKED}g.me
- {BLOCKED}ybak.com
- {BLOCKED}uu.net
- {BLOCKED}illiamspainting.com
- {BLOCKED}okus.com
- {BLOCKED}est.com
- {BLOCKED}rardon.com
- {BLOCKED}genstern.com
- {BLOCKED}terim-and-projectmanagement.com
- {BLOCKED}ter.com
- {BLOCKED}nti.com
- {BLOCKED}onalessandro.com
- {BLOCKED}sultancy.com
- {BLOCKED}ttmediations.com
- {BLOCKED}hisme.fr
- {BLOCKED}onbooks.com
- {BLOCKED}inezilustrador.com
- {BLOCKED}i.com.ng
- {BLOCKED}re.com
- {BLOCKED}moveamerica.org
- {BLOCKED}en.com
- {BLOCKED}nweekly.com
- {BLOCKED}onmingmanning.com
- {BLOCKED}y.hu
- {BLOCKED}ooley.com
- {BLOCKED}nblaetz.de
- {BLOCKED}usktherapy.com
- {BLOCKED}oundthecornerpetsit.com
- {BLOCKED}are.com
- {BLOCKED}somnium.de
- {BLOCKED}njames.com
- {BLOCKED}iterviertel.com
- {BLOCKED}ndonesia.com
- {BLOCKED}inealy.com
- {BLOCKED}te.com
- {BLOCKED}h.com
- {BLOCKED}gatton.com
- {BLOCKED}ordon.com
- {BLOCKED}n.fr
- {BLOCKED}allum.com
- {BLOCKED}allum.com
- {BLOCKED}iedjeszingen.nl
- {BLOCKED}alprep.academy
- {BLOCKED}-prijs.nl
- {BLOCKED}rdjournal.com
- {BLOCKED}x.com
- {BLOCKED}tickets.com
- {BLOCKED}beaute-nani.com
- {BLOCKED}vent.ru
- {BLOCKED}dress.com
- {BLOCKED}sory-opravy.com
- {BLOCKED}t-m.ru
- {BLOCKED}o.com
- {BLOCKED}-vochtbestrijding.be
- {BLOCKED}abrawijaya.com
- {BLOCKED}anboennelykke.dk
- {BLOCKED}old-sjaelland.dk
- {BLOCKED}rsnapsen.dk
- {BLOCKED}s72.com
- {BLOCKED}o.pro
- {BLOCKED}ichalovce.sk
- {BLOCKED}f.de
- {BLOCKED}i.ru
- {BLOCKED}erplakky.nl
- {BLOCKED}ools.ng
- {BLOCKED}edspica.nl
- {BLOCKED}iasafaris.com
- {BLOCKED}oodmarketing.com
- {BLOCKED}dbrowenvy.com
- {BLOCKED}rm.com
- {BLOCKED}eacrepes-meaux.fr
- {BLOCKED}vor.com
- {BLOCKED}withleslie.com
- {BLOCKED}alentine.com
- {BLOCKED}rensics.com
- {BLOCKED}premegarcinia.net
- {BLOCKED}rjees.com
- {BLOCKED}can.com
- {BLOCKED}schiess.de
- {BLOCKED}rom.com
- {BLOCKED}blanc.gr
- {BLOCKED}dineroux.com
- {BLOCKED}xbleus.net
- {BLOCKED}opsmoking.co.uk
- {BLOCKED}scan.de
- {BLOCKED}even.be
- {BLOCKED}ovka.ru
- {BLOCKED}d.com
- {BLOCKED}es.com
- {BLOCKED}ed-public-adjuster.com
- {BLOCKED}ingsnytt.nu
- {BLOCKED}tgrafikweb.at
- {BLOCKED}breaths.com
- {BLOCKED}telyouth.com
- {BLOCKED}ie.com
- {BLOCKED}ete.com
- {BLOCKED}x.co.uk
- {BLOCKED}ilding.life
- {BLOCKED}oncon.fr
- {BLOCKED}saints.academy
- {BLOCKED}veloper.com
- {BLOCKED}i.com
- {BLOCKED}oolabudhabi.ae
- {BLOCKED}urheartout.co
- {BLOCKED}t.sk
- {BLOCKED}rn.co.uk
- {BLOCKED}ndustries.com
- {BLOCKED}hiro.com
- {BLOCKED}k.academy
- {BLOCKED}dseen.com
- {BLOCKED}ille.se
- {BLOCKED}ager.com
- {BLOCKED}e.com
- {BLOCKED}uchia.com
- {BLOCKED}bryan.com
- {BLOCKED}upe.com
- {BLOCKED}l.it
- {BLOCKED}o.academy
- {BLOCKED}no.com
- {BLOCKED}c.com
- {BLOCKED}burger.fr
- {BLOCKED}lduniya.com
- {BLOCKED}h.fr
- {BLOCKED}mputer-support-hamburg.de
- {BLOCKED}visual.com
- {BLOCKED}ya.net
- {BLOCKED}chen.com
- {BLOCKED}millionaires.net
- {BLOCKED}nnye.ru
- {BLOCKED}attalar.com
- {BLOCKED}nedesigns.com
- {BLOCKED}irossana.it
- {BLOCKED}l.tn
- {BLOCKED}dy.com
- {BLOCKED}etmcshane.com
- {BLOCKED}osediazdemera.com
- {BLOCKED}almahdi.com
- {BLOCKED}nelemenestrel.com
- {BLOCKED}ymourphotography.co.uk
- {BLOCKED}abasin.com
- {BLOCKED}-frets-ceramics.nl
- {BLOCKED}ipstudios.com
- {BLOCKED}rbnb.wordpress.com
- {BLOCKED}logicos.com
- {BLOCKED}ruzzaofficial.com
- {BLOCKED}eupetel.fr
- {BLOCKED}e24.com.ua
- {BLOCKED}gulka.ru
- {BLOCKED}t.dk
- {BLOCKED}opi.com.br
- {BLOCKED}inghomes.com
- {BLOCKED}olmong.com
- {BLOCKED}ub.co.nz
- {BLOCKED}lsupportco.com
- {BLOCKED}iro.com.ar
- {BLOCKED}shealthandwellness.com
- {BLOCKED}etgesigte.co.za
- {BLOCKED}odelrio.com
- {BLOCKED}ongeren.nl
- {BLOCKED}bau-hartmann.eu
- {BLOCKED}fe.ca
- {BLOCKED}lica.academy
- {BLOCKED}on.ru
- {BLOCKED}ta.com
- {BLOCKED}lfiegel.com
- {BLOCKED}-s.co.il
- {BLOCKED}tschool.org
- {BLOCKED}hopping.it
- mike.{BLOCKED}es.de
- {BLOCKED}odfellow.co.uk
- {BLOCKED}uscle.nl
- {BLOCKED}elers.com
- {BLOCKED}arkescape.com
- {BLOCKED}rksomhed.dk
- {BLOCKED}o.it
- {BLOCKED}k.digital
- {BLOCKED}i.ru
- {BLOCKED}fil.com
- {BLOCKED}ristescu.com
- {BLOCKED}e.nl
- {BLOCKED}m.pt
- {BLOCKED}ccarthydesign.com
- {BLOCKED}andscapes.com
- {BLOCKED}rrsoccer.com
- {BLOCKED}sconsult.com
- {BLOCKED}osshideout.com
- {BLOCKED}ossplace.co.uk
- {BLOCKED}r.nl
- {BLOCKED}tz.com
- {BLOCKED}c.com
- {BLOCKED}p.org
- {BLOCKED}r.nl
- {BLOCKED}pieces-auto.fr
- {BLOCKED}i.pe
- {BLOCKED}l.de
- {BLOCKED}gmarketinggroup.com
- {BLOCKED}eam.com
- {BLOCKED}win3.com
- {BLOCKED}smali.net
- {BLOCKED}t-pismo-gubernatoru.ru:443
- {BLOCKED}a.net
- {BLOCKED}newsroom.com
- {BLOCKED}estaurante.com.br
- {BLOCKED}p.ru
- {BLOCKED}marine.dk
- {BLOCKED}a.co.uk
- {BLOCKED}c.ca
- {BLOCKED}n.nl
- {BLOCKED}amedispa.com
- {BLOCKED}i.be
- {BLOCKED}pictures.com
- {BLOCKED}surecleaning.com
- {BLOCKED}ltere.fr
- {BLOCKED}ruralhousingstudies.org
- {BLOCKED}stop.com
- {BLOCKED}gefinancial.com
- {BLOCKED}x.com
- {BLOCKED}ock.com
- {BLOCKED}indeklas.be
- {BLOCKED}i.com
- {BLOCKED}edia.de
- {BLOCKED}a.com.ua
- {BLOCKED}la.com
- {BLOCKED}ue.com
- {BLOCKED}filoxenia.gr
- {BLOCKED}s.com
- {BLOCKED}ell.com.sg
- {BLOCKED}nsigns.com
- {BLOCKED}g.org
- {BLOCKED}rehospital.dk
- {BLOCKED}ademy.com
- {BLOCKED}0.dk
- {BLOCKED}log.com
- {BLOCKED}siness.com
- {BLOCKED}loisons.fr
- {BLOCKED}arbella.com
- {BLOCKED}demy.com
- {BLOCKED}ot.com
- {BLOCKED}ergyinternational.com
- {BLOCKED}marketingsurgery.co.uk
- {BLOCKED}tvgroup.com
- {BLOCKED}ivadigital.com
- {BLOCKED}webdesign.com
- {BLOCKED}i.com
- {BLOCKED}hubertruiz.com
- {BLOCKED}s.com
- {BLOCKED}b.net
- {BLOCKED}dbrickwork.com
- {BLOCKED}o.ae
- {BLOCKED}unity.de
- {BLOCKED}n.ro
- {BLOCKED}karuva.com
- {BLOCKED}k.zp.ua
- {BLOCKED}ndingminialbums.com
- {BLOCKED}ntity.com
- {BLOCKED}e.com
- {BLOCKED}entraal.nl
- {BLOCKED}s.fr
- {BLOCKED}a.gr
- {BLOCKED}ophilippines.com
- {BLOCKED}haus-erfurt.de
- {BLOCKED}s.ru
- {BLOCKED}natblago.ru
- {BLOCKED}apod.com
- {BLOCKED}gmlandscape.com
- {BLOCKED}sandkids.com
- {BLOCKED}chool.ru
- {BLOCKED}deseniorliving.net
- {BLOCKED}ort.com
- {BLOCKED}ociation.com
- {BLOCKED}tcleaning.net
- {BLOCKED}aint-flour.fr
- {BLOCKED}por.org.tr
- {BLOCKED}son.com
- {BLOCKED}gibadan.co.id
- {BLOCKED}uhrambutkeiskei.com
- {BLOCKED}greenfarmcatering.com.au
- {BLOCKED}tdecor.com
- {BLOCKED}tgrin.com
- {BLOCKED}ko-group.com
- {BLOCKED}xcrane.com
- {BLOCKED}raphycreativity.co.uk
- {BLOCKED}ag.com
- {BLOCKED}nbepthanhdat.com
- {BLOCKED}-lang.de
- {BLOCKED}r.com
- {BLOCKED}reen.com
- {BLOCKED}ayvideoawards.com
- {BLOCKED}look.com
- {BLOCKED}re.co
- {BLOCKED}ealth.net
- {BLOCKED}monticello.com
- {BLOCKED}urance.com
- {BLOCKED}for-the-soul.ch
- {BLOCKED}nturkiye.com
- {BLOCKED}ne.com
- {BLOCKED}bretagne.bzh
- {BLOCKED}hell.su
- {BLOCKED}etemp.com
- {BLOCKED}r-iowa.com
- {BLOCKED}mweb.com.ua:443
- {BLOCKED}e.live
- {BLOCKED}arineengineering.com
- {BLOCKED}talblue.com
- {BLOCKED}tion-stills.co.uk
- {BLOCKED}sionetata.com
- {BLOCKED}eplo.com
- {BLOCKED}ersan.com
- {BLOCKED}z.com
- {BLOCKED}mer.pl
- {BLOCKED}tparkiet.pl
- {BLOCKED}eyagro.com.ua
- {BLOCKED}s.ca
- {BLOCKED}lay.ca
- {BLOCKED}n.com
- {BLOCKED}ompserver.de
- {BLOCKED}ements.nl
- {BLOCKED}eprod4.com
- {BLOCKED}-reinigen.com
- {BLOCKED}mbv.nl
- {BLOCKED}l.it
- {BLOCKED}usiccenter.com
- {BLOCKED}ternational.com
- {BLOCKED}ube.net
- {BLOCKED}corting.com
- {BLOCKED}ach.com
- {BLOCKED}etsenblog.nl
- {BLOCKED}allgood.com
- {BLOCKED}ightmusic.com
- {BLOCKED}zprono.com
- {BLOCKED}brown.com
- {BLOCKED}kloan.org
- {BLOCKED}ods.ro
- {BLOCKED}warehouse.co.uk
- {BLOCKED}-webzine.nl
- {BLOCKED}nplicht.be
- {BLOCKED}i.co
- {BLOCKED}blephotography.com
- {BLOCKED}metkinderen.be
- {BLOCKED}ntonline.eu
- {BLOCKED}e.kz
- {BLOCKED}box.ch
- {BLOCKED}rtman.nl
- {BLOCKED}gwell.com
- {BLOCKED}ortsequip.com
- {BLOCKED}tion-medical.online
- {BLOCKED}up.pt
- {BLOCKED}storage.co.uk
- {BLOCKED}turf.com
- {BLOCKED}div.com
- {BLOCKED}dkershawwines.co.za
- {BLOCKED}dmaybury.co.uk
- {BLOCKED}mattgarage.ch
- {BLOCKED}mbh.com
- {BLOCKED}angoly.com
- {BLOCKED}usic.nl
- {BLOCKED}katjaya.com
- {BLOCKED}talk.com
- {BLOCKED}pollee.com
- {BLOCKED}hendriks.nl
- {BLOCKED}yn.com
- {BLOCKED}attonecase.it
- {BLOCKED}a.com
- {BLOCKED}mark.dk
- {BLOCKED}igns.com
- {BLOCKED}4.com
- {BLOCKED}diology.com
- {BLOCKED}tar.ch
- {BLOCKED}tar.ch
- {BLOCKED}e.com
- {BLOCKED}oncrete.com
- {BLOCKED}xtel.uk
- {BLOCKED}nchiuk.com
- {BLOCKED}malo-developpement.fr
- {BLOCKED}amar.nl
- {BLOCKED}low.com
- {BLOCKED}toy.store
- {BLOCKED}pics.co.uk
- {BLOCKED}og.org
- {BLOCKED}iznes.com
- {BLOCKED}t.ag
- {BLOCKED}dlair.com
- {BLOCKED}bohrmaschinetests.com
- {BLOCKED}sseldienste-hannover.de
- {BLOCKED}rquotes.com
- {BLOCKED}derschoembs.com
- {BLOCKED}-moelln.de
- {BLOCKED}ch.academy
- {BLOCKED}ndsroute66.co.uk
- {BLOCKED}inderpt.com
- {BLOCKED}s-clubs.co.uk
- {BLOCKED}ed-minds.de
- {BLOCKED}ewrightway.com
- {BLOCKED}albrightdds.com
- {BLOCKED}alemap.com
- {BLOCKED}sspices.com
- {BLOCKED}ingplanet.com
- {BLOCKED}edia.de
- {BLOCKED}edenroth.dk
- {BLOCKED}ght.com
- {BLOCKED}bird.dk
- {BLOCKED}itsolutions.ch
- {BLOCKED}tonfinancial.com
- site.{BLOCKED}t.com.br
- {BLOCKED}o.org
- {BLOCKED}ping.de
- {BLOCKED}eper.li
- {BLOCKED}nski.eu
- {BLOCKED}rome.eu
- {BLOCKED}i.fi
- {BLOCKED}ndnutrition.co.uk
- {BLOCKED}nner.ro
- {BLOCKED}vents.be
- {BLOCKED}makerszwijndrecht.nl
- {BLOCKED}inner.com
- {BLOCKED}rcashsystem.com
- {BLOCKED}ind.net
- {BLOCKED}peak.com
- {BLOCKED}ourism.academy
- {BLOCKED}orkplaza.com
- {BLOCKED}okna23.ru
- {BLOCKED}osting.nl
- {BLOCKED}brerie.it
- {BLOCKED}onshosting.co.uk
- {BLOCKED}i.ch
- {BLOCKED}e.fr
- {BLOCKED}eeing.net
- {BLOCKED}el.be
- {BLOCKED}movers.com
- {BLOCKED}udible.com
- {BLOCKED}ltyhomeservicesllc.com
- {BLOCKED}marketingdigital.com.br
- {BLOCKED}rei-hannover.de
- {BLOCKED}lo.nl
- {BLOCKED}ats.com
- {BLOCKED}fieldplumbermo.com
- {BLOCKED}coach.com
- {BLOCKED}e.com
- {BLOCKED}isateur.fr
- {BLOCKED}xinc.com
- {BLOCKED}infirmier.fr
- {BLOCKED}yqualitysystems.com
- {BLOCKED}plive.org
- {BLOCKED}oulis.gr
- {BLOCKED}-n-bitch.com
- {BLOCKED}idgemontessori.com
- {BLOCKED}und-ansichten.de
- {BLOCKED}hs-wanderlust.info
- {BLOCKED}reliefadvice.com
- {BLOCKED}nosis.academy
- {BLOCKED}numerik.fr
- {BLOCKED}rcy.fr
- {BLOCKED}d.com
- {BLOCKED}scolony.com.ng
- {BLOCKED}artemis.gr
- {BLOCKED}utions.es
- {BLOCKED}joen.fi
- {BLOCKED}arhire.co.uk
- {BLOCKED}lberg.de
- {BLOCKED}z.fr
- {BLOCKED}-made.com
- {BLOCKED}regreenapts.com
- {BLOCKED}evries.com
- {BLOCKED}hers.com
- {BLOCKED}geldvergleich.de
- {BLOCKED}k.com
- {BLOCKED}irginia.com
- {BLOCKED}akopieva.ru
- {BLOCKED}kartano.fi
- {BLOCKED}p.co.uk
- {BLOCKED}ia-conseil.fr
- {BLOCKED}geln.ch
- {BLOCKED}ash.com
- {BLOCKED}dos.com
- {BLOCKED}nadaydentalimplants.com
- {BLOCKED}ebell.website
- {BLOCKED}lair.de
- {BLOCKED}tonarim.com
- {BLOCKED}javertailut.net
- {BLOCKED}eleachat.fr
- {BLOCKED}ble.pl
- {BLOCKED}adio.de
- {BLOCKED}can.org
- {BLOCKED}eek-diet.net
- {BLOCKED}question.com
- {BLOCKED}r-lueneburg.de
- {BLOCKED}e-embellie.fr
- {BLOCKED}auty-guides.com
- {BLOCKED}rdroomafrica.com
- {BLOCKED}pboard.co.uk
- {BLOCKED}awaycollective.com
- {BLOCKED}nningmanmusical.com
- {BLOCKED}ecounsellingpractice.co.uk
- {BLOCKED}ellect.edu.pk
- {BLOCKED}pa.com
- {BLOCKED}elfairy.com
- {BLOCKED}ybusinessacademy.com
- {BLOCKED}kroadny.com
- {BLOCKED}dio.academy
- {BLOCKED}perez.com
- {BLOCKED}ettyhair.com
- {BLOCKED}echic.com
- {BLOCKED}eke.de
- {BLOCKED}oinsurers.net
- {BLOCKED}esti.net
- {BLOCKED}tuition.org
- {BLOCKED}ackofthemoon.com
- {BLOCKED}oot.co
- {BLOCKED}avigator.ch
- {BLOCKED}umacademy.com
- {BLOCKED}are.com
- {BLOCKED}olhealth.com
- {BLOCKED}fer.fr
- {BLOCKED}vl.ru
- {BLOCKED}ete.com
- {BLOCKED}ttabordeaux.fr
- {BLOCKED}ttagaite.fr
- {BLOCKED}lsguide.dk
- {BLOCKED}g.academy
- {BLOCKED}cks.com
- {BLOCKED}kansenloket.nl
- {BLOCKED}n.nu
- {BLOCKED}ance.fr
- {BLOCKED}mag.com
- {BLOCKED}telifesource.com
- {BLOCKED}herapy.site
- {BLOCKED}oredhentaigif.com
- {BLOCKED}ored.gr
- {BLOCKED}w-narty.pl
- {BLOCKED}selle.fr
- {BLOCKED}acteur.fr
- {BLOCKED}t-voice.com
- {BLOCKED}o.fr
- {BLOCKED}4.online
- {BLOCKED}aard.dk
- {BLOCKED}nessa.com
- {BLOCKED}wingsdouche.nl
- {BLOCKED}victoria.com
- {BLOCKED}rental.ae
- {BLOCKED}aecoturismo.com.br
- {BLOCKED}mcosta.com
- {BLOCKED}lhoogeveen.nl
- {BLOCKED}biz.com
- {BLOCKED}a.plus
- {BLOCKED}o.com
- {BLOCKED}rray.com
- {BLOCKED}owersandrakes.com
- {BLOCKED}man.es
- {BLOCKED}erland.nl
- {BLOCKED}ale.biz
- {BLOCKED}5.com
- {BLOCKED}sites.com
- {BLOCKED}gceremonieswithtim.com
- {BLOCKED}customers.fr
- {BLOCKED}ugtrolley.net
- {BLOCKED}ligenstadt.de
- {BLOCKED}ngcrane.com
- {BLOCKED}dgo.hu
- {BLOCKED}ssenreden.com
- {BLOCKED}z.pl
- wordpress.{BLOCKED}m.no
- {BLOCKED}roskitour.com
- {BLOCKED}zil.com
- {BLOCKED}itute.org
- {BLOCKED}rest.net
- {BLOCKED}abehgab4ak0ddz.xn--p1ai
- {BLOCKED}addfr4ahr.dp.ua
- {BLOCKED}lligafrgpatroner-stb.se
- {BLOCKED}inoapte-6ld.ro
- {BLOCKED}urces.com
- {BLOCKED}fi.com
- {BLOCKED}a.ru
- {BLOCKED}nprimaunggul.org
- {BLOCKED}rysalonsoho.com:443
- {BLOCKED}chicken.ca
- {BLOCKED}smicbeing.com
- {BLOCKED}ppyevents.fr
- {BLOCKED}xtshoes.com
- {BLOCKED}enghotel.com
- {BLOCKED}in-aquarelles.fr
- {BLOCKED}ana.com
- {BLOCKED}eszczecin.pl
- {BLOCKED}n.ae
- {BLOCKED}k.com
- {BLOCKED}k.com
- {BLOCKED}k.com
- {BLOCKED}tar.com
- {BLOCKED}erderijravensbosch.nl
- {BLOCKED}h-umzug.ch
- {BLOCKED}kuyutemel.com
- {BLOCKED}ficial.nl
- {string 1}:
- wp-content
- include
- content
- uploads
- static
- admin
- data
- news
- {string 2}:
- images
- pictures
- image
- temp
- tmp
- graphic
- assets
- pics
- game
- {string 3}:
- jpg
- png
- gif
- {domain}:
ランサムウェアの不正活動
マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。
- File extensions:
- 386
- adv
- ani
- bat
- bin
- cab
- cmd
- com
- cpl
- cur
- deskthemepack
- diagcab
- diagcfg
- diagpkg
- dll
- drv
- exe
- hlp
- hta
- icl
- icns
- ico
- ics
- idx
- key
- ldf
- lnk
- lock
- mod
- mpa
- msc
- msi
- msp
- msstyles
- msu
- nls
- nomedia
- ocx
- prf
- ps1
- rom
- rtp
- scr
- shs
- spl
- sys
- theme
- themepack
- wpx
- File name:
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db
マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。
- $recycle.bin
- $windows.~bt
- $windows.~ws
- boot
- intel
- mozilla
- msocache
- perflogs
- system volume information
- tor browser
- windows
- windows.old
マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。
- .{random characters}
マルウェアが作成する以下のファイルは、脅迫状です。
- {encrypted folder}\{appended ransom extension}-readme.txt
マルウェアは、以下の内容を含む脅迫状のテキストファイルを残します。
対応方法
手順 1
Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 2
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 3
「Ransom.Win32.SODINOKIBI.THGAOAIA」で検出したファイル名を確認し、そのファイルを終了します。
- すべての実行中プロセスが、Windows のタスクマネージャに表示されない場合があります。この場合、"Process Explorer" などのツールを使用しマルウェアのファイルを終了してください。"Process Explorer" については、こちらをご参照下さい。
- 検出ファイルが、Windows のタスクマネージャまたは "Process Explorer" に表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
セーフモードについては、こちらをご参照下さい。 - 検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。
手順 4
以下のファイルを検索し削除します。
- {encrypted folder}\{random characters}.lock
- %User Temp%\{random characters}.bmp
- {encrypted folder}\{appended ransom extension}-readme.txt
手順 5
このレジストリキーを削除します。
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- HKEY_LOCAL_MACHINE\SOFTWARE\recfg
手順 6
最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Ransom.Win32.SODINOKIBI.THGAOAIA」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 7
デスクトッププロパティを修正します。
ご利用はいかがでしたか? アンケートにご協力ください