Trend Micro Security

Ransom.Win32.SODINOKIBI.THFBFAI

2019年7月12日
 解析者: Warren Adam Sto. Tomas   

 プラットフォーム:

Windows

 危険度:
 ダメージ度:
 感染力:
 感染確認数:
 情報漏えい:


  • マルウェアタイプ: 身代金要求型不正プログラム(ランサムウェア)
  • 破壊活動の有無: なし
  • 暗号化: はい
  • 感染報告の有無: はい

  概要

感染経路 インターネットからのダウンロード, 他のマルウェアからの作成

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。


  詳細

ファイルサイズ 398,336 bytes
タイプ EXE
メモリ常駐 なし
発見日 2019年6月25日
ペイロード URLまたはIPアドレスに接続, ファイルの暗号化, 画像の表示, プロセスの強制終了

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のファイルを作成します。

  • {encrypted folder}\{random characters}.lock -> marker for encrypted folders
  • %User Temp%\{random characters}.bmp -> ransom wallpaper
  • {encrypted folder}\{appended ransom extension}-readme.txt -> ransom note

(註:%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\<ユーザー名>\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\<ユーザ名>\AppData\Local\Temp" です。)

マルウェアは、以下のプロセスを追加します。

  • vssadmin.exe Delete Shadows /All /Quiet -> deletes shadow copies
  • bcdedit /set {default} recoveryenabled No -> disables startup repair
  • bcdedit /set {default} bootstatuspolicy ignoreallfailures -> disables windows error recovery

マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。

  • Global\C126B3B3-6B51-F91C-6FDF-DD2C70FA45E6

他のシステム変更

マルウェアは、以下のレジストリキーを追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\recfg

マルウェアは、インストールの過程で、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
pk_key = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
sk_key = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
0_key = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
rnd_ext = {appended ransom extension}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
stat = {hex values}

マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。

プロセスの終了

マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。

  • agntsvc.exe
  • dbeng50.exe
  • dbsnmp.exe
  • encsvc.exe
  • excel.exe
  • firefoxconfig.exe
  • infopath.exe
  • isqlplussvc.exe
  • msaccess.exe
  • msftesql.exe
  • mspub.exe
  • mydesktopqos.exe
  • mydesktopservice.exe
  • mysqld.exe
  • mysqld_nt.exe
  • mysqld_opt.exe
  • ocautoupds.exe
  • ocomm.exe
  • ocssd.exe
  • onenote.exe
  • oracle.exe
  • outlook.exe
  • powerpnt.exe
  • sqbcoreservice.exe
  • sqlagent.exe
  • sqlbrowser.exe
  • sqlservr.exe
  • sqlwriter.exe
  • steam.exe
  • synctime.exe
  • tbirdconfig.exe
  • thebat.exe
  • thebat64.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe
  • xfssvccon.exe

情報漏えい

マルウェアは、以下の情報を収集します。

  • Computer name
  • User name
  • Workgroup
  • Processor
  • Operating System
  • System Architecture

情報収集

マルウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。

  • https://{domain}/{string 1}/{string 2}/{random characters}.{string 3}
    • {domain}:
      • {BLOCKED}1.{BLOCKED}n.ua
      • {BLOCKED}stdelray.com
      • {BLOCKED}s.com
      • {BLOCKED}ndsight.info
      • {BLOCKED}bs.com
      • {BLOCKED}pt.com
      • {BLOCKED}ors.com
      • {BLOCKED}entuan.com
      • {BLOCKED}r.com
      • {BLOCKED}enartwalk.org
      • {BLOCKED}ov.com
      • {BLOCKED}uppe.ch
      • {BLOCKED}rime.com
      • {BLOCKED}abalhos.com
      • {BLOCKED}emmobil.com.tr
      • {BLOCKED}mputers.com
      • {BLOCKED}shstudio.co.uk
      • {BLOCKED}terroristwarningcompany.com
      • {BLOCKED}consultingcompany.com
      • {BLOCKED}le.org
      • {BLOCKED}a.info
      • {BLOCKED}ign.com
      • {BLOCKED}um.com
      • {BLOCKED}edeyecare.com
      • {BLOCKED}ed-removals.co.uk
      • {BLOCKED}e-refle.com
      • {BLOCKED}a.com
      • {BLOCKED}rejserallinclusive.dk
      • {BLOCKED}emsehondenschool.be
      • {BLOCKED}assemble.fr
      • {BLOCKED}who-aixenprovence.fr
      • {BLOCKED}twentytwenty.com
      • {BLOCKED}collectivites.com
      • {BLOCKED}rm.dk
      • {BLOCKED}rismocastagneto.it
      • {BLOCKED}oftladders.co.uk
      • {BLOCKED}ge.com
      • {BLOCKED}ublishing.co.uk
      • {BLOCKED}viceunlimited.com
      • {BLOCKED}ourbarrier.com
      • {BLOCKED}gofis.com
      • {BLOCKED}riskcenter.se
      • {BLOCKED}-safaris.com
      • {BLOCKED}aroofingllc.com
      • {BLOCKED}remote.com
      • {BLOCKED}kniksipil.com
      • {BLOCKED}aner.fr
      • {BLOCKED}e.com
      • {BLOCKED}e.co
      • {BLOCKED}nzel.de
      • {BLOCKED}unindo.com
      • {BLOCKED}entalcare.com
      • {BLOCKED}necampaign.com
      • {BLOCKED}srassismus-entknoten.de
      • {BLOCKED}dwifery.com
      • {BLOCKED}us.com
      • {BLOCKED}berie.com
      • {BLOCKED}deboise.com
      • {BLOCKED}ntatto.net
      • {BLOCKED}dc.com
      • {BLOCKED}o.net.au
      • {BLOCKED}lecompte.wordpress.com
      • {BLOCKED}llezaysalud.com
      • {BLOCKED}zac.com
      • {BLOCKED}or.com
      • {BLOCKED}attswisswatches.ch
      • {BLOCKED}luchesi.it
      • {BLOCKED}skildegaard.dk
      • {BLOCKED}yezstripclub.com
      • {BLOCKED}ka-schwarz.com
      • {BLOCKED}mirrorus.com
      • {BLOCKED}food-online.de
      • {BLOCKED}ion-pro.co.uk
      • {BLOCKED}sregisteret.no
      • {BLOCKED}mus.com
      • {BLOCKED}a.it
      • {BLOCKED}cademy.it
      • {BLOCKED}a.ac
      • {BLOCKED}sta.de
      • {BLOCKED}erpension.com
      • {BLOCKED}conseils.fr
      • {BLOCKED}eck.co.za
      • {BLOCKED}nmice.com
      • {BLOCKED}i.eus
      • {BLOCKED}gcleaningnyc.com
      • {BLOCKED}e.pl
      • {BLOCKED}apitalforvaltning.dk
      • {BLOCKED}k.nl
      • {BLOCKED}tgallery.jp
      • {BLOCKED}ffing.com
      • {BLOCKED}g.fr
      • {BLOCKED}raphic.com
      • {BLOCKED}rkomon.com
      • {BLOCKED}a.nl
      • {BLOCKED}up.it
      • {BLOCKED}ves-sur-vareze.fr
      • {BLOCKED}praxisklinik-rostock.de
      • {BLOCKED}pel.ro
      • {BLOCKED}amlast.de
      • avis.{BLOCKED}a.it
      • {BLOCKED}ninthedesert.com
      • {BLOCKED}ss163.ru:443
      • {BLOCKED}log.de
      • {BLOCKED}hauri.com
      • {BLOCKED}pain.com
      • {BLOCKED}love.org:443
      • {BLOCKED}spiritualtamara.com
      • {BLOCKED}ycanas.com
      • {BLOCKED}s.com
      • {BLOCKED}erwork.eu
      • {BLOCKED}b.ch
      • {BLOCKED}tting-hk.helpergo.co
      • {BLOCKED}lics.in
      • {BLOCKED}flot.ru
      • {BLOCKED}a.ac
      • {BLOCKED}a.sk
      • {BLOCKED}ismyyoga.com
      • {BLOCKED}rl.co.za
      • {BLOCKED}mbak.com
      • {BLOCKED}tdistinctives.org
      • {BLOCKED}amcfadyenjewelry.com
      • {BLOCKED}entistry.com
      • {BLOCKED}nancialservices.com
      • {BLOCKED}ienden.nl
      • {BLOCKED}reelite.com
      • {BLOCKED}toirs.org
      • {BLOCKED}s.info
      • {BLOCKED}y.com
      • {BLOCKED}ivingschool.com.au
      • {BLOCKED}-traveller.com
      • {BLOCKED}a.af
      • {BLOCKED}iniacademy.org
      • {BLOCKED}oripa.be
      • {BLOCKED}iz.com
      • {BLOCKED}-partner.de
      • {BLOCKED}llp.com
      • {BLOCKED}tter.nl
      • {BLOCKED}edical.de
      • {BLOCKED}ce.com
      • bg.{BLOCKED}in.pl
      • {BLOCKED}a.com
      • {BLOCKED}uck.de
      • {BLOCKED}s.dk
      • {BLOCKED}eflybilletter.dk
      • {BLOCKED}ars.net
      • {BLOCKED}art.com
      • {BLOCKED}tify.ai
      • {BLOCKED}lacemag.com
      • {BLOCKED}anvulpen.nl
      • {BLOCKED}t.fr
      • {BLOCKED}optic.com
      • {BLOCKED}p.com
      • {BLOCKED}kevision.com
      • {BLOCKED}rinefoundation.com
      • {BLOCKED}dgeheritage.com
      • {BLOCKED}nreich-brilon.de
      • {BLOCKED}pure-impulse.com
      • {BLOCKED}50ans.com
      • {BLOCKED}ndchallenger.com
      • {BLOCKED}chversicherung.info
      • {BLOCKED}a.de
      • {BLOCKED}beachassociation.com
      • {BLOCKED}gwheel.com
      • {BLOCKED}slivinglively.com
      • {BLOCKED}ier.org
      • {BLOCKED}endsgoal.site
      • {BLOCKED}ornfastigheter.se
      • {BLOCKED}-immobilien.de
      • {BLOCKED}uckrecords.com
      • {BLOCKED}ebettertolivebetter.com
      • {BLOCKED}cave.com
      • {BLOCKED}hillgroup.com
      • {BLOCKED}ehope.org
      • {BLOCKED}oepke.eu
      • {BLOCKED}neosteopathic.com.au
      • {BLOCKED}lisoep.nl
      • {BLOCKED}woodblog.com
      • {BLOCKED}mmobilier.com
      • {BLOCKED}t.online
      • {BLOCKED}ucious.com
      • {BLOCKED}enter-butzbach-werbemittel.de
      • {BLOCKED}ddyblog.com
      • {BLOCKED}nnikitav.000webhostapp.com
      • {BLOCKED}deco.site
      • {BLOCKED}n.com
      • {BLOCKED}itare.com
      • {BLOCKED}elem.de
      • {BLOCKED}ss-basic.de
      • {BLOCKED}akers.com
      • {BLOCKED}o.pl
      • {BLOCKED}0.com
      • {BLOCKED}w-okc.com
      • {BLOCKED}glaforetdetesse.com
      • {BLOCKED}ce.com
      • {BLOCKED}escalade.com
      • {BLOCKED}10.it
      • {BLOCKED}ndloyalty.com
      • {BLOCKED}-york.com
      • {BLOCKED}nfriedlander.com
      • {BLOCKED}n.sparen-it.de
      • {BLOCKED}arosa33.it
      • {BLOCKED}depositors.com
      • {BLOCKED}seurdetransformation.com
      • {BLOCKED}p-mag.com
      • {BLOCKED}ng.com
      • {BLOCKED}erts.de
      • {BLOCKED}ec.com
      • {BLOCKED}yvisionglobal.com
      • {BLOCKED}ters.com
      • {BLOCKED}019.com
      • {BLOCKED}fhopeeurope.eu
      • {BLOCKED}sfrancis.photos
      • {BLOCKED}ttelhanna.com
      • {BLOCKED}rlin.de
      • {BLOCKED}rchatterchatter.com
      • {BLOCKED}arehousespace.com
      • {BLOCKED}sy.net
      • {BLOCKED}consulting.net
      • {BLOCKED}anne.com
      • {BLOCKED}ianscholz.de
      • {BLOCKED}opherhannan.com
      • {BLOCKED}rance.fr
      • {BLOCKED}natiphotocompany.org
      • {BLOCKED}citydj.com
      • {BLOCKED}t-diagramz.com
      • {BLOCKED}apes-art.com
      • {BLOCKED}gslife.com
      • {BLOCKED}epamblog.com
      • {BLOCKED}akilian.de
      • {BLOCKED}oomequipment.ie
      • {BLOCKED}foto.dk
      • {BLOCKED}-beethovenstrasse-ag.ch
      • {BLOCKED}d.com
      • {BLOCKED}w.com
      • {BLOCKED}reneuracademy.com
      • {BLOCKED}etennis.info
      • {BLOCKED}d-shelves.com
      • {BLOCKED}rescritor.com
      • {BLOCKED}er-place.de
      • {BLOCKED}tactodirecto.com
      • {BLOCKED}mobile.fr
      • {BLOCKED}n.nl
      • {BLOCKED}auses.org
      • {BLOCKED}marketing.com
      • {BLOCKED}acionrr.com
      • {BLOCKED}-avenue.co.il
      • {BLOCKED}p.de
      • {BLOCKED}ngalegacy.com
      • {BLOCKED}on.com
      • {BLOCKED}tone.co.nz
      • {BLOCKED}n.de
      • {BLOCKED}ood.com
      • {BLOCKED}loons.com
      • {BLOCKED}p.com
      • {BLOCKED}ediation.org
      • {BLOCKED}c.org
      • {BLOCKED}iscountguns.com
      • {BLOCKED}roasts.com
      • {BLOCKED}any.com
      • {BLOCKED}romote.de
      • {BLOCKED}u.futbol
      • {BLOCKED}ranch.com
      • {BLOCKED}i.be
      • {BLOCKED}visphotos.com
      • {BLOCKED}townhouse.com
      • {BLOCKED}e-styling.nl
      • {BLOCKED}u.com
      • {BLOCKED}n.com
      • {BLOCKED}ia.fi
      • {BLOCKED}tionhub.com
      • {BLOCKED}gfoodie.nl
      • {BLOCKED}verschuur.com
      • {BLOCKED}circle.com
      • {BLOCKED}labor-luenen.de
      • {BLOCKED}rage.com
      • {BLOCKED}wynkoopdentist.com
      • {BLOCKED}empelking.de
      • {BLOCKED}gandoprogramas.com
      • {BLOCKED}image.ae
      • {BLOCKED}s.be
      • {BLOCKED}s.de
      • {BLOCKED}an.ru
      • {BLOCKED}ie-weitramsdorf-sesslach.de
      • {BLOCKED}i.store
      • {BLOCKED}niversiteit.nl
      • {BLOCKED}mo-agentur.de
      • {BLOCKED}ambulancealkmaar.nl
      • {BLOCKED}le-elite.de
      • {BLOCKED}rp.com
      • {BLOCKED}inkdetroit.com
      • {BLOCKED}ique.com
      • {BLOCKED}apernambuco.com
      • {BLOCKED}fresh.com
      • {BLOCKED}iestas.com.es
      • {BLOCKED}a.com
      • {BLOCKED}a.co.uk
      • {BLOCKED}foundation.org
      • {BLOCKED}limitedguide.com
      • {BLOCKED}e-des-pothiers.com
      • {BLOCKED}vefurniture.com
      • {BLOCKED}guides.eu
      • {BLOCKED}eniste.com
      • {BLOCKED}nhweeks.com
      • {BLOCKED}oiceclub.org
      • {BLOCKED}onpediatrics.com
      • {BLOCKED}makersheerenveen.nl
      • {BLOCKED}a.de
      • {BLOCKED}p.com
      • {BLOCKED}er.nl
      • {BLOCKED}x.pro
      • {BLOCKED}insteadwingchun.com
      • {BLOCKED}ntal.ae
      • {BLOCKED}eges.com
      • {BLOCKED}e.co
      • {BLOCKED}ennedymacfoy.com
      • {BLOCKED}ors.org
      • {BLOCKED}encyconsulting.es
      • {BLOCKED}u.fr
      • {BLOCKED}danismanlik.com
      • {BLOCKED}icianul.com
      • {BLOCKED}x.is
      • {BLOCKED}ramika-shop.com.ua
      • {BLOCKED}accreative.wordpress.com
      • {BLOCKED}snhlstenden.com
      • {BLOCKED}ter-p.net
      • {BLOCKED}ter-p.net
      • {BLOCKED}srealms.net
      • {BLOCKED}rvation.com
      • {BLOCKED}sbit-rp.ru
      • {BLOCKED}qca.com
      • {BLOCKED}tor-durban.com
      • {BLOCKED}sk.com
      • {BLOCKED}rlogerie.com
      • {BLOCKED}panart.com
      • {BLOCKED}riversforwindows.com
      • {BLOCKED}p.design
      • {BLOCKED}opolitica.com
      • {BLOCKED}z.de
      • {BLOCKED}icsport.eu
      • {BLOCKED}svirtualesexitosos.com
      • {BLOCKED}hacademy.org
      • {BLOCKED}a.nl
      • {BLOCKED}mes.com
      • {BLOCKED}tordallas.com
      • {BLOCKED}iareloj.com
      • {BLOCKED}ywizuk.com
      • {BLOCKED}n.ru
      • {BLOCKED}i.com.au
      • {BLOCKED}nline.com
      • {BLOCKED}star.co
      • {BLOCKED}zine.ru
      • {BLOCKED}tytitleoregon.com
      • {BLOCKED}titutionalfunds.com
      • {BLOCKED}go.eu
      • {BLOCKED}ome.co.uk
      • {BLOCKED}pace.com
      • {BLOCKED}sblenderstory.com
      • {BLOCKED}epair.com
      • {BLOCKED}a.se
      • {BLOCKED}oordental.com
      • {BLOCKED}ingsun.org
      • {BLOCKED}uzrewards.com
      • {BLOCKED}ontur.com
      • {BLOCKED}rverein-vatterschule.de
      • {BLOCKED}imes.ru
      • {BLOCKED}linslimeffect.net
      • {BLOCKED}ittard.nl
      • {BLOCKED}itores.com
      • {BLOCKED}ubna.com
      • {BLOCKED}ays.com
      • {BLOCKED}yballs.com
      • {BLOCKED}hift.it
      • {BLOCKED}oll.com
      • {BLOCKED}ids.com
      • {BLOCKED}-international.es
      • {BLOCKED}pro.com
      • {BLOCKED}sale.com
      • {BLOCKED}lmar.se
      • {BLOCKED}dia.com
      • {BLOCKED}x.de
      • {BLOCKED}d.ru
      • {BLOCKED}networking.com
      • {BLOCKED}herapierijnmond.nl
      • {BLOCKED}ainc.com
      • {BLOCKED}yals.com
      • {BLOCKED}uklaw.com
      • {BLOCKED}e-couture.com
      • {BLOCKED}partner.pl
      • {BLOCKED}burgcottage.com
      • {BLOCKED}asters.com
      • {BLOCKED}e-du-web.com
      • {BLOCKED}1.de
      • {BLOCKED}iatonaggelon.gr
      • {BLOCKED}muncey.com
      • {BLOCKED}b.software
      • {BLOCKED}h.ae
      • {BLOCKED}uck.de
      • {BLOCKED}-pflanzenparadies.de
      • {BLOCKED}erschueren.be
      • {BLOCKED}compliancenews.com
      • {BLOCKED}-migrate.com
      • {BLOCKED}skills.pt
      • go.{BLOCKED}ni.ch
      • {BLOCKED}dleadership.org
      • {BLOCKED}nger-teppichreinigung.de
      • {BLOCKED}ublandgoednieuwkerk.nl
      • {BLOCKED}yscustom.com
      • {BLOCKED}rbalhealth.com
      • {BLOCKED}deep.com
      • {BLOCKED}studio-visuell.de
      • {BLOCKED}nariaregional.com
      • {BLOCKED}cafeblog.wordpress.com
      • {BLOCKED}eenbiomedservices.com
      • {BLOCKED}fficespaces.net
      • {BLOCKED}yetattoo.com
      • {BLOCKED}ider.nl
      • {BLOCKED}dealers.ru
      • {BLOCKED}xin10.com
      • {BLOCKED}retecoatings.com
      • {BLOCKED}b.fr
      • {BLOCKED}d.com
      • {BLOCKED}chnologies.net
      • {BLOCKED}totaal.nl
      • {BLOCKED}lim.com
      • {BLOCKED}an-silkeborg.dk
      • {BLOCKED}atering.de
      • {BLOCKED}ublog.wordpress.com
      • {BLOCKED}streetspineclinic.com
      • {BLOCKED}urniture.com
      • {BLOCKED}andliebe.de
      • {BLOCKED}steelbuilding.com
      • {BLOCKED}rnsretirement.co.uk
      • {BLOCKED}lbygg.no
      • {BLOCKED}m.com
      • {BLOCKED}ymarketing.com
      • {BLOCKED}opping.com
      • {BLOCKED}land-oaze.nl
      • {BLOCKED}see-buhne11.de
      • {BLOCKED}uckwreckers.com.au
      • {BLOCKED}m.com
      • {BLOCKED}s.com
      • {BLOCKED}ne.de
      • {BLOCKED}isor.dk
      • {BLOCKED}alitytrainingsolutions.co.uk
      • {BLOCKED}etdelsindians.es
      • {BLOCKED}tay.com
      • {BLOCKED}gbangladesh.net
      • {BLOCKED}antra.com
      • {BLOCKED}urbo.de
      • {BLOCKED}aneselesbian.com
      • {BLOCKED}ofwa.com
      • {BLOCKED}iruses.org
      • {BLOCKED}anitas.dk
      • {BLOCKED}tyle.co.uk
      • {BLOCKED}ldt.dk
      • {BLOCKED}nforensic.com
      • {BLOCKED}hnologies.net
      • {BLOCKED}de.com
      • {BLOCKED}t99.com
      • {BLOCKED}beton.nl
      • {BLOCKED}us.com
      • {BLOCKED}god.be
      • {BLOCKED}ullcircle.com
      • {BLOCKED}istoria.com
      • {BLOCKED}e-entertainment.com
      • {BLOCKED}ekithomes.co.nz
      • {BLOCKED}ku-sozoku.com
      • {BLOCKED}izadvocates.org
      • {BLOCKED}tar.com
      • {BLOCKED}osextras.online
      • {BLOCKED}nf.com
      • {BLOCKED}urrection.com
      • {BLOCKED}isions-id.com
      • {BLOCKED}tiongames-brabant.nl
      • {BLOCKED}tiongames-brabant.nl
      • {BLOCKED}e.agency
      • {BLOCKED}inkone.com
      • {BLOCKED}alresults.com
      • {BLOCKED}estdigital.com
      • {BLOCKED}a.dk
      • {BLOCKED}r.com
      • {BLOCKED}ine.ru
      • {BLOCKED}idigitali.com
      • {BLOCKED}es.dk
      • {BLOCKED}cu.com
      • {BLOCKED}ekzema.nl
      • {BLOCKED}sgarcianoto.com
      • {BLOCKED}g.me
      • {BLOCKED}ybak.com
      • {BLOCKED}uu.net
      • {BLOCKED}illiamspainting.com
      • {BLOCKED}okus.com
      • {BLOCKED}est.com
      • {BLOCKED}rardon.com
      • {BLOCKED}genstern.com
      • {BLOCKED}terim-and-projectmanagement.com
      • {BLOCKED}ter.com
      • {BLOCKED}nti.com
      • {BLOCKED}onalessandro.com
      • {BLOCKED}sultancy.com
      • {BLOCKED}ttmediations.com
      • {BLOCKED}hisme.fr
      • {BLOCKED}onbooks.com
      • {BLOCKED}inezilustrador.com
      • {BLOCKED}i.com.ng
      • {BLOCKED}re.com
      • {BLOCKED}moveamerica.org
      • {BLOCKED}en.com
      • {BLOCKED}nweekly.com
      • {BLOCKED}onmingmanning.com
      • {BLOCKED}y.hu
      • {BLOCKED}ooley.com
      • {BLOCKED}nblaetz.de
      • {BLOCKED}usktherapy.com
      • {BLOCKED}oundthecornerpetsit.com
      • {BLOCKED}are.com
      • {BLOCKED}somnium.de
      • {BLOCKED}njames.com
      • {BLOCKED}iterviertel.com
      • {BLOCKED}ndonesia.com
      • {BLOCKED}inealy.com
      • {BLOCKED}te.com
      • {BLOCKED}h.com
      • {BLOCKED}gatton.com
      • {BLOCKED}ordon.com
      • {BLOCKED}n.fr
      • {BLOCKED}allum.com
      • {BLOCKED}allum.com
      • {BLOCKED}iedjeszingen.nl
      • {BLOCKED}alprep.academy
      • {BLOCKED}-prijs.nl
      • {BLOCKED}rdjournal.com
      • {BLOCKED}x.com
      • {BLOCKED}tickets.com
      • {BLOCKED}beaute-nani.com
      • {BLOCKED}vent.ru
      • {BLOCKED}dress.com
      • {BLOCKED}sory-opravy.com
      • {BLOCKED}t-m.ru
      • {BLOCKED}o.com
      • {BLOCKED}-vochtbestrijding.be
      • {BLOCKED}abrawijaya.com
      • {BLOCKED}anboennelykke.dk
      • {BLOCKED}old-sjaelland.dk
      • {BLOCKED}rsnapsen.dk
      • {BLOCKED}s72.com
      • {BLOCKED}o.pro
      • {BLOCKED}ichalovce.sk
      • {BLOCKED}f.de
      • {BLOCKED}i.ru
      • {BLOCKED}erplakky.nl
      • {BLOCKED}ools.ng
      • {BLOCKED}edspica.nl
      • {BLOCKED}iasafaris.com
      • {BLOCKED}oodmarketing.com
      • {BLOCKED}dbrowenvy.com
      • {BLOCKED}rm.com
      • {BLOCKED}eacrepes-meaux.fr
      • {BLOCKED}vor.com
      • {BLOCKED}withleslie.com
      • {BLOCKED}alentine.com
      • {BLOCKED}rensics.com
      • {BLOCKED}premegarcinia.net
      • {BLOCKED}rjees.com
      • {BLOCKED}can.com
      • {BLOCKED}schiess.de
      • {BLOCKED}rom.com
      • {BLOCKED}blanc.gr
      • {BLOCKED}dineroux.com
      • {BLOCKED}xbleus.net
      • {BLOCKED}opsmoking.co.uk
      • {BLOCKED}scan.de
      • {BLOCKED}even.be
      • {BLOCKED}ovka.ru
      • {BLOCKED}d.com
      • {BLOCKED}es.com
      • {BLOCKED}ed-public-adjuster.com
      • {BLOCKED}ingsnytt.nu
      • {BLOCKED}tgrafikweb.at
      • {BLOCKED}breaths.com
      • {BLOCKED}telyouth.com
      • {BLOCKED}ie.com
      • {BLOCKED}ete.com
      • {BLOCKED}x.co.uk
      • {BLOCKED}ilding.life
      • {BLOCKED}oncon.fr
      • {BLOCKED}saints.academy
      • {BLOCKED}veloper.com
      • {BLOCKED}i.com
      • {BLOCKED}oolabudhabi.ae
      • {BLOCKED}urheartout.co
      • {BLOCKED}t.sk
      • {BLOCKED}rn.co.uk
      • {BLOCKED}ndustries.com
      • {BLOCKED}hiro.com
      • {BLOCKED}k.academy
      • {BLOCKED}dseen.com
      • {BLOCKED}ille.se
      • {BLOCKED}ager.com
      • {BLOCKED}e.com
      • {BLOCKED}uchia.com
      • {BLOCKED}bryan.com
      • {BLOCKED}upe.com
      • {BLOCKED}l.it
      • {BLOCKED}o.academy
      • {BLOCKED}no.com
      • {BLOCKED}c.com
      • {BLOCKED}burger.fr
      • {BLOCKED}lduniya.com
      • {BLOCKED}h.fr
      • {BLOCKED}mputer-support-hamburg.de
      • {BLOCKED}visual.com
      • {BLOCKED}ya.net
      • {BLOCKED}chen.com
      • {BLOCKED}millionaires.net
      • {BLOCKED}nnye.ru
      • {BLOCKED}attalar.com
      • {BLOCKED}nedesigns.com
      • {BLOCKED}irossana.it
      • {BLOCKED}l.tn
      • {BLOCKED}dy.com
      • {BLOCKED}etmcshane.com
      • {BLOCKED}osediazdemera.com
      • {BLOCKED}almahdi.com
      • {BLOCKED}nelemenestrel.com
      • {BLOCKED}ymourphotography.co.uk
      • {BLOCKED}abasin.com
      • {BLOCKED}-frets-ceramics.nl
      • {BLOCKED}ipstudios.com
      • {BLOCKED}rbnb.wordpress.com
      • {BLOCKED}logicos.com
      • {BLOCKED}ruzzaofficial.com
      • {BLOCKED}eupetel.fr
      • {BLOCKED}e24.com.ua
      • {BLOCKED}gulka.ru
      • {BLOCKED}t.dk
      • {BLOCKED}opi.com.br
      • {BLOCKED}inghomes.com
      • {BLOCKED}olmong.com
      • {BLOCKED}ub.co.nz
      • {BLOCKED}lsupportco.com
      • {BLOCKED}iro.com.ar
      • {BLOCKED}shealthandwellness.com
      • {BLOCKED}etgesigte.co.za
      • {BLOCKED}odelrio.com
      • {BLOCKED}ongeren.nl
      • {BLOCKED}bau-hartmann.eu
      • {BLOCKED}fe.ca
      • {BLOCKED}lica.academy
      • {BLOCKED}on.ru
      • {BLOCKED}ta.com
      • {BLOCKED}lfiegel.com
      • {BLOCKED}-s.co.il
      • {BLOCKED}tschool.org
      • {BLOCKED}hopping.it
      • mike.{BLOCKED}es.de
      • {BLOCKED}odfellow.co.uk
      • {BLOCKED}uscle.nl
      • {BLOCKED}elers.com
      • {BLOCKED}arkescape.com
      • {BLOCKED}rksomhed.dk
      • {BLOCKED}o.it
      • {BLOCKED}k.digital
      • {BLOCKED}i.ru
      • {BLOCKED}fil.com
      • {BLOCKED}ristescu.com
      • {BLOCKED}e.nl
      • {BLOCKED}m.pt
      • {BLOCKED}ccarthydesign.com
      • {BLOCKED}andscapes.com
      • {BLOCKED}rrsoccer.com
      • {BLOCKED}sconsult.com
      • {BLOCKED}osshideout.com
      • {BLOCKED}ossplace.co.uk
      • {BLOCKED}r.nl
      • {BLOCKED}tz.com
      • {BLOCKED}c.com
      • {BLOCKED}p.org
      • {BLOCKED}r.nl
      • {BLOCKED}pieces-auto.fr
      • {BLOCKED}i.pe
      • {BLOCKED}l.de
      • {BLOCKED}gmarketinggroup.com
      • {BLOCKED}eam.com
      • {BLOCKED}win3.com
      • {BLOCKED}smali.net
      • {BLOCKED}t-pismo-gubernatoru.ru:443
      • {BLOCKED}a.net
      • {BLOCKED}newsroom.com
      • {BLOCKED}estaurante.com.br
      • {BLOCKED}p.ru
      • {BLOCKED}marine.dk
      • {BLOCKED}a.co.uk
      • {BLOCKED}c.ca
      • {BLOCKED}n.nl
      • {BLOCKED}amedispa.com
      • {BLOCKED}i.be
      • {BLOCKED}pictures.com
      • {BLOCKED}surecleaning.com
      • {BLOCKED}ltere.fr
      • {BLOCKED}ruralhousingstudies.org
      • {BLOCKED}stop.com
      • {BLOCKED}gefinancial.com
      • {BLOCKED}x.com
      • {BLOCKED}ock.com
      • {BLOCKED}indeklas.be
      • {BLOCKED}i.com
      • {BLOCKED}edia.de
      • {BLOCKED}a.com.ua
      • {BLOCKED}la.com
      • {BLOCKED}ue.com
      • {BLOCKED}filoxenia.gr
      • {BLOCKED}s.com
      • {BLOCKED}ell.com.sg
      • {BLOCKED}nsigns.com
      • {BLOCKED}g.org
      • {BLOCKED}rehospital.dk
      • {BLOCKED}ademy.com
      • {BLOCKED}0.dk
      • {BLOCKED}log.com
      • {BLOCKED}siness.com
      • {BLOCKED}loisons.fr
      • {BLOCKED}arbella.com
      • {BLOCKED}demy.com
      • {BLOCKED}ot.com
      • {BLOCKED}ergyinternational.com
      • {BLOCKED}marketingsurgery.co.uk
      • {BLOCKED}tvgroup.com
      • {BLOCKED}ivadigital.com
      • {BLOCKED}webdesign.com
      • {BLOCKED}i.com
      • {BLOCKED}hubertruiz.com
      • {BLOCKED}s.com
      • {BLOCKED}b.net
      • {BLOCKED}dbrickwork.com
      • {BLOCKED}o.ae
      • {BLOCKED}unity.de
      • {BLOCKED}n.ro
      • {BLOCKED}karuva.com
      • {BLOCKED}k.zp.ua
      • {BLOCKED}ndingminialbums.com
      • {BLOCKED}ntity.com
      • {BLOCKED}e.com
      • {BLOCKED}entraal.nl
      • {BLOCKED}s.fr
      • {BLOCKED}a.gr
      • {BLOCKED}ophilippines.com
      • {BLOCKED}haus-erfurt.de
      • {BLOCKED}s.ru
      • {BLOCKED}natblago.ru
      • {BLOCKED}apod.com
      • {BLOCKED}gmlandscape.com
      • {BLOCKED}sandkids.com
      • {BLOCKED}chool.ru
      • {BLOCKED}deseniorliving.net
      • {BLOCKED}ort.com
      • {BLOCKED}ociation.com
      • {BLOCKED}tcleaning.net
      • {BLOCKED}aint-flour.fr
      • {BLOCKED}por.org.tr
      • {BLOCKED}son.com
      • {BLOCKED}gibadan.co.id
      • {BLOCKED}uhrambutkeiskei.com
      • {BLOCKED}greenfarmcatering.com.au
      • {BLOCKED}tdecor.com
      • {BLOCKED}tgrin.com
      • {BLOCKED}ko-group.com
      • {BLOCKED}xcrane.com
      • {BLOCKED}raphycreativity.co.uk
      • {BLOCKED}ag.com
      • {BLOCKED}nbepthanhdat.com
      • {BLOCKED}-lang.de
      • {BLOCKED}r.com
      • {BLOCKED}reen.com
      • {BLOCKED}ayvideoawards.com
      • {BLOCKED}look.com
      • {BLOCKED}re.co
      • {BLOCKED}ealth.net
      • {BLOCKED}monticello.com
      • {BLOCKED}urance.com
      • {BLOCKED}for-the-soul.ch
      • {BLOCKED}nturkiye.com
      • {BLOCKED}ne.com
      • {BLOCKED}bretagne.bzh
      • {BLOCKED}hell.su
      • {BLOCKED}etemp.com
      • {BLOCKED}r-iowa.com
      • {BLOCKED}mweb.com.ua:443
      • {BLOCKED}e.live
      • {BLOCKED}arineengineering.com
      • {BLOCKED}talblue.com
      • {BLOCKED}tion-stills.co.uk
      • {BLOCKED}sionetata.com
      • {BLOCKED}eplo.com
      • {BLOCKED}ersan.com
      • {BLOCKED}z.com
      • {BLOCKED}mer.pl
      • {BLOCKED}tparkiet.pl
      • {BLOCKED}eyagro.com.ua
      • {BLOCKED}s.ca
      • {BLOCKED}lay.ca
      • {BLOCKED}n.com
      • {BLOCKED}ompserver.de
      • {BLOCKED}ements.nl
      • {BLOCKED}eprod4.com
      • {BLOCKED}-reinigen.com
      • {BLOCKED}mbv.nl
      • {BLOCKED}l.it
      • {BLOCKED}usiccenter.com
      • {BLOCKED}ternational.com
      • {BLOCKED}ube.net
      • {BLOCKED}corting.com
      • {BLOCKED}ach.com
      • {BLOCKED}etsenblog.nl
      • {BLOCKED}allgood.com
      • {BLOCKED}ightmusic.com
      • {BLOCKED}zprono.com
      • {BLOCKED}brown.com
      • {BLOCKED}kloan.org
      • {BLOCKED}ods.ro
      • {BLOCKED}warehouse.co.uk
      • {BLOCKED}-webzine.nl
      • {BLOCKED}nplicht.be
      • {BLOCKED}i.co
      • {BLOCKED}blephotography.com
      • {BLOCKED}metkinderen.be
      • {BLOCKED}ntonline.eu
      • {BLOCKED}e.kz
      • {BLOCKED}box.ch
      • {BLOCKED}rtman.nl
      • {BLOCKED}gwell.com
      • {BLOCKED}ortsequip.com
      • {BLOCKED}tion-medical.online
      • {BLOCKED}up.pt
      • {BLOCKED}storage.co.uk
      • {BLOCKED}turf.com
      • {BLOCKED}div.com
      • {BLOCKED}dkershawwines.co.za
      • {BLOCKED}dmaybury.co.uk
      • {BLOCKED}mattgarage.ch
      • {BLOCKED}mbh.com
      • {BLOCKED}angoly.com
      • {BLOCKED}usic.nl
      • {BLOCKED}katjaya.com
      • {BLOCKED}talk.com
      • {BLOCKED}pollee.com
      • {BLOCKED}hendriks.nl
      • {BLOCKED}yn.com
      • {BLOCKED}attonecase.it
      • {BLOCKED}a.com
      • {BLOCKED}mark.dk
      • {BLOCKED}igns.com
      • {BLOCKED}4.com
      • {BLOCKED}diology.com
      • {BLOCKED}tar.ch
      • {BLOCKED}tar.ch
      • {BLOCKED}e.com
      • {BLOCKED}oncrete.com
      • {BLOCKED}xtel.uk
      • {BLOCKED}nchiuk.com
      • {BLOCKED}malo-developpement.fr
      • {BLOCKED}amar.nl
      • {BLOCKED}low.com
      • {BLOCKED}toy.store
      • {BLOCKED}pics.co.uk
      • {BLOCKED}og.org
      • {BLOCKED}iznes.com
      • {BLOCKED}t.ag
      • {BLOCKED}dlair.com
      • {BLOCKED}bohrmaschinetests.com
      • {BLOCKED}sseldienste-hannover.de
      • {BLOCKED}rquotes.com
      • {BLOCKED}derschoembs.com
      • {BLOCKED}-moelln.de
      • {BLOCKED}ch.academy
      • {BLOCKED}ndsroute66.co.uk
      • {BLOCKED}inderpt.com
      • {BLOCKED}s-clubs.co.uk
      • {BLOCKED}ed-minds.de
      • {BLOCKED}ewrightway.com
      • {BLOCKED}albrightdds.com
      • {BLOCKED}alemap.com
      • {BLOCKED}sspices.com
      • {BLOCKED}ingplanet.com
      • {BLOCKED}edia.de
      • {BLOCKED}edenroth.dk
      • {BLOCKED}ght.com
      • {BLOCKED}bird.dk
      • {BLOCKED}itsolutions.ch
      • {BLOCKED}tonfinancial.com
      • site.{BLOCKED}t.com.br
      • {BLOCKED}o.org
      • {BLOCKED}ping.de
      • {BLOCKED}eper.li
      • {BLOCKED}nski.eu
      • {BLOCKED}rome.eu
      • {BLOCKED}i.fi
      • {BLOCKED}ndnutrition.co.uk
      • {BLOCKED}nner.ro
      • {BLOCKED}vents.be
      • {BLOCKED}makerszwijndrecht.nl
      • {BLOCKED}inner.com
      • {BLOCKED}rcashsystem.com
      • {BLOCKED}ind.net
      • {BLOCKED}peak.com
      • {BLOCKED}ourism.academy
      • {BLOCKED}orkplaza.com
      • {BLOCKED}okna23.ru
      • {BLOCKED}osting.nl
      • {BLOCKED}brerie.it
      • {BLOCKED}onshosting.co.uk
      • {BLOCKED}i.ch
      • {BLOCKED}e.fr
      • {BLOCKED}eeing.net
      • {BLOCKED}el.be
      • {BLOCKED}movers.com
      • {BLOCKED}udible.com
      • {BLOCKED}ltyhomeservicesllc.com
      • {BLOCKED}marketingdigital.com.br
      • {BLOCKED}rei-hannover.de
      • {BLOCKED}lo.nl
      • {BLOCKED}ats.com
      • {BLOCKED}fieldplumbermo.com
      • {BLOCKED}coach.com
      • {BLOCKED}e.com
      • {BLOCKED}isateur.fr
      • {BLOCKED}xinc.com
      • {BLOCKED}infirmier.fr
      • {BLOCKED}yqualitysystems.com
      • {BLOCKED}plive.org
      • {BLOCKED}oulis.gr
      • {BLOCKED}-n-bitch.com
      • {BLOCKED}idgemontessori.com
      • {BLOCKED}und-ansichten.de
      • {BLOCKED}hs-wanderlust.info
      • {BLOCKED}reliefadvice.com
      • {BLOCKED}nosis.academy
      • {BLOCKED}numerik.fr
      • {BLOCKED}rcy.fr
      • {BLOCKED}d.com
      • {BLOCKED}scolony.com.ng
      • {BLOCKED}artemis.gr
      • {BLOCKED}utions.es
      • {BLOCKED}joen.fi
      • {BLOCKED}arhire.co.uk
      • {BLOCKED}lberg.de
      • {BLOCKED}z.fr
      • {BLOCKED}-made.com
      • {BLOCKED}regreenapts.com
      • {BLOCKED}evries.com
      • {BLOCKED}hers.com
      • {BLOCKED}geldvergleich.de
      • {BLOCKED}k.com
      • {BLOCKED}irginia.com
      • {BLOCKED}akopieva.ru
      • {BLOCKED}kartano.fi
      • {BLOCKED}p.co.uk
      • {BLOCKED}ia-conseil.fr
      • {BLOCKED}geln.ch
      • {BLOCKED}ash.com
      • {BLOCKED}dos.com
      • {BLOCKED}nadaydentalimplants.com
      • {BLOCKED}ebell.website
      • {BLOCKED}lair.de
      • {BLOCKED}tonarim.com
      • {BLOCKED}javertailut.net
      • {BLOCKED}eleachat.fr
      • {BLOCKED}ble.pl
      • {BLOCKED}adio.de
      • {BLOCKED}can.org
      • {BLOCKED}eek-diet.net
      • {BLOCKED}question.com
      • {BLOCKED}r-lueneburg.de
      • {BLOCKED}e-embellie.fr
      • {BLOCKED}auty-guides.com
      • {BLOCKED}rdroomafrica.com
      • {BLOCKED}pboard.co.uk
      • {BLOCKED}awaycollective.com
      • {BLOCKED}nningmanmusical.com
      • {BLOCKED}ecounsellingpractice.co.uk
      • {BLOCKED}ellect.edu.pk
      • {BLOCKED}pa.com
      • {BLOCKED}elfairy.com
      • {BLOCKED}ybusinessacademy.com
      • {BLOCKED}kroadny.com
      • {BLOCKED}dio.academy
      • {BLOCKED}perez.com
      • {BLOCKED}ettyhair.com
      • {BLOCKED}echic.com
      • {BLOCKED}eke.de
      • {BLOCKED}oinsurers.net
      • {BLOCKED}esti.net
      • {BLOCKED}tuition.org
      • {BLOCKED}ackofthemoon.com
      • {BLOCKED}oot.co
      • {BLOCKED}avigator.ch
      • {BLOCKED}umacademy.com
      • {BLOCKED}are.com
      • {BLOCKED}olhealth.com
      • {BLOCKED}fer.fr
      • {BLOCKED}vl.ru
      • {BLOCKED}ete.com
      • {BLOCKED}ttabordeaux.fr
      • {BLOCKED}ttagaite.fr
      • {BLOCKED}lsguide.dk
      • {BLOCKED}g.academy
      • {BLOCKED}cks.com
      • {BLOCKED}kansenloket.nl
      • {BLOCKED}n.nu
      • {BLOCKED}ance.fr
      • {BLOCKED}mag.com
      • {BLOCKED}telifesource.com
      • {BLOCKED}herapy.site
      • {BLOCKED}oredhentaigif.com
      • {BLOCKED}ored.gr
      • {BLOCKED}w-narty.pl
      • {BLOCKED}selle.fr
      • {BLOCKED}acteur.fr
      • {BLOCKED}t-voice.com
      • {BLOCKED}o.fr
      • {BLOCKED}4.online
      • {BLOCKED}aard.dk
      • {BLOCKED}nessa.com
      • {BLOCKED}wingsdouche.nl
      • {BLOCKED}victoria.com
      • {BLOCKED}rental.ae
      • {BLOCKED}aecoturismo.com.br
      • {BLOCKED}mcosta.com
      • {BLOCKED}lhoogeveen.nl
      • {BLOCKED}biz.com
      • {BLOCKED}a.plus
      • {BLOCKED}o.com
      • {BLOCKED}rray.com
      • {BLOCKED}owersandrakes.com
      • {BLOCKED}man.es
      • {BLOCKED}erland.nl
      • {BLOCKED}ale.biz
      • {BLOCKED}5.com
      • {BLOCKED}sites.com
      • {BLOCKED}gceremonieswithtim.com
      • {BLOCKED}customers.fr
      • {BLOCKED}ugtrolley.net
      • {BLOCKED}ligenstadt.de
      • {BLOCKED}ngcrane.com
      • {BLOCKED}dgo.hu
      • {BLOCKED}ssenreden.com
      • {BLOCKED}z.pl
      • wordpress.{BLOCKED}m.no
      • {BLOCKED}roskitour.com
      • {BLOCKED}zil.com
      • {BLOCKED}itute.org
      • {BLOCKED}rest.net
      • {BLOCKED}abehgab4ak0ddz.xn--p1ai
      • {BLOCKED}addfr4ahr.dp.ua
      • {BLOCKED}lligafrgpatroner-stb.se
      • {BLOCKED}inoapte-6ld.ro
      • {BLOCKED}urces.com
      • {BLOCKED}fi.com
      • {BLOCKED}a.ru
      • {BLOCKED}nprimaunggul.org
      • {BLOCKED}rysalonsoho.com:443
      • {BLOCKED}chicken.ca
      • {BLOCKED}smicbeing.com
      • {BLOCKED}ppyevents.fr
      • {BLOCKED}xtshoes.com
      • {BLOCKED}enghotel.com
      • {BLOCKED}in-aquarelles.fr
      • {BLOCKED}ana.com
      • {BLOCKED}eszczecin.pl
      • {BLOCKED}n.ae
      • {BLOCKED}k.com
      • {BLOCKED}k.com
      • {BLOCKED}k.com
      • {BLOCKED}tar.com
      • {BLOCKED}erderijravensbosch.nl
      • {BLOCKED}h-umzug.ch
      • {BLOCKED}kuyutemel.com
      • {BLOCKED}ficial.nl
    • {string 1}:
      • wp-content
      • include
      • content
      • uploads
      • static
      • admin
      • data
      • news
    • {string 2}:
      • images
      • pictures
      • image
      • temp
      • tmp
      • graphic
      • assets
      • pics
      • game
    • {string 3}:
      • jpg
      • png
      • gif

ランサムウェアの不正活動

マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。

  • File extensions:
    • 386
    • adv
    • ani
    • bat
    • bin
    • cab
    • cmd
    • com
    • cpl
    • cur
    • deskthemepack
    • diagcab
    • diagcfg
    • diagpkg
    • dll
    • drv
    • exe
    • hlp
    • hta
    • icl
    • icns
    • ico
    • ics
    • idx
    • key
    • ldf
    • lnk
    • lock
    • mod
    • mpa
    • msc
    • msi
    • msp
    • msstyles
    • msu
    • nls
    • nomedia
    • ocx
    • prf
    • ps1
    • rom
    • rtp
    • scr
    • shs
    • spl
    • sys
    • theme
    • themepack
    • wpx
  • File name:
    • autorun.inf
    • boot.ini
    • bootfont.bin
    • bootsect.bak
    • desktop.ini
    • iconcache.db
    • ntldr
    • ntuser.dat
    • ntuser.dat.log
    • ntuser.ini
    • thumbs.db

マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。

  • $recycle.bin
  • $windows.~bt
  • $windows.~ws
  • appdata
  • application data
  • boot
  • google
  • intel
  • mozilla
  • msocache
  • perflogs
  • program files
  • program files (x86)
  • programdata
  • system volume information
  • tor browser
  • windows
  • windows.old

マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

  • .{random characters}

マルウェアが作成する以下のファイルは、脅迫状です。

  • {encrypted folder}\{appended ransom extension}-readme.txt

マルウェアは、以下の内容を含む脅迫状のテキストファイルを残します。


  対応方法

対応検索エンジン: 9.850
初回 VSAPI パターンバージョン 15.198.05
初回 VSAPI パターンリリース日 2019年6月26日
VSAPI OPR パターンバージョン 15.199.00
VSAPI OPR パターンリリース日 2019年6月27日

手順 1

Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。

手順 2

このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。

手順 3

「Ransom.Win32.SODINOKIBI.THFBFAI」で検出したファイル名を確認し、そのファイルを終了します。

[ 詳細 ]

  • すべての実行中プロセスが、Windows のタスクマネージャに表示されない場合があります。この場合、"Process Explorer" などのツールを使用しマルウェアのファイルを終了してください。"Process Explorer" については、こちらをご参照下さい。
  • 検出ファイルが、Windows のタスクマネージャまたは "Process Explorer" に表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
    セーフモードについては、こちらをご参照下さい。
  • 検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。

手順 4

以下のファイルを検索し削除します。

[ 詳細 ]
コンポーネントファイルが隠しファイル属性に設定されている場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。
  • {encrypted folder}\{random characters}.lock
  • %User Temp%\{random characters}.bmp
  • {encrypted folder}\{appended ransom extension}-readme.txt

手順 5

このレジストリキーを削除します。

[ 詳細 ]

警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。

  • HKEY_LOCAL_MACHINE\SOFTWARE\recfg

手順 6

最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Ransom.Win32.SODINOKIBI.THFBFAI」と検出したファイルはすべて削除してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。

手順 7

デスクトッププロパティを修正します。

[ 詳細 ]


ご利用はいかがでしたか? アンケートにご協力ください