[Virus/Malware Activity Report: MRAC Ransomware]

In response to a security breach believed to be in the form of MRAC ransomware,
we would like to confirm the situation and provide a warning as follows.

MRAC ransomware

The ransomware is called MRAC and appears to be changing all files with the extension .MRAC. MRAC ransomware stops services or forcibly terminates processes in order to infect data in key processes.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Major service termination

  To smoothly handle data infection in major processes, services are stopped or processes are forcibly terminated.

  
  [Figure 3 End of major services]

• Exit CMD, disable Windows recovery function, and delete shadow copies.

  It disables Windows' self-recovery function and deletes existing shadow copies to make recovery difficult.

  
  [Figure 4]

• Delete system state backup feature

  
  [Figure 5]

• Delete system state backup feature

  
  [Figure 6]

• work goal

  It connects using GetLogicalDriveString to check the drive's information and works for drives of Type 2/3/4.

  
  [Figure 7]

• Other Features

  It leaves the information “=MRAC=” in the encrypted file to identify the encrypted target.

  
  [Figure 8]

Infection results

The guide file is created in each folder under the name MRACReadMe.html, and when encryption is performed, the files are changed to <encrypted file name.MRAC>.

[Figure 9 Infection result 1]

[Figure 10 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 11 Block message]

[Figure 12 Blocking details]

Watch the MRAC blocking video