Ransom.Win64.RUTHENS.THLABBC

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega los procesos siguientes:

• wmic.exe shadowcopy delete
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• wbadmin.exe delete systemstatebackup -keepVersions:3
• wbadmin.exe delete systemstatebackup
• bcdedit.exe /set {default} recoveryenabled No
• vssadmin.exe delete shadows /all /quiet
• wbadmin.exe delete catalog-quiet
• notepad.exe {Drive}:\Contact Us.txt

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• mepocs
• memtas
• veeam
• svc$
• backup
• sql
• vss
• msexchange
• vmm
• vmwp

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• encsvc
• thebat
• mydesktopqos
• xfssvccon
• firefox
• infopath
• winword
• steam
• synctime
• notepad
• ocomm
• onenote
• mspub
• thunderbird
• agntsvc
• sql
• excel
• powerpnt
• outlook
• wordpad
• dbeng50
• isqlplussvc
• sqbcoreservice
• oracle
• ocautoupds
• dbsnmp
• msaccess
• tbirdconfig
• ocssd
• mydesktopservice
• visio

Otros detalles

Hace lo siguiente:

• It accepts the following argument:
  • -c {username}:{password} → Required. Specifies the username and password to access the contact page
  • -a, -attach, --attach → Enables logging
  • -A, -no-aggressive, --no-aggressive → Disables the deletion of backups and recovery
  • -E, -no-extension, --no-extension → Disables appending of extension to files
  • -m, -min-size, --min-size → Specifies the minimum file size for encryption (in bytes)
  • {File or Path to encrypt} → Encrypts a specific file or directory
• It encrypts fixed, removable, and network drives.