We are aware of a security breach that is believed to be in the form of Rizzler ransomware
. We would like to provide the following information and warnings regarding the situation.

Rizzler ransomware

The ransomware is called Rizzler and it appears to be changing all files to filename.extension.rizz.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• This is a C# .NET-based ransomware, one of the variants of Chaos. When executed, it is re-executed with the name rizz.exe in the AddDataRoaming folder and duplicate execution prevention is applied. It deletes shadow copies and backup catalogs (Windows Server) and disables Windows recovery functions and error notification functions. It modifies the registry to block the Task Manager, creates a link file of the ransomware executable file in the Startup Program folder, and replaces the desktop image.

  
  [Figure 3 Internal code that disables functions that help with PC recovery]

  
  [Figure 4 Link file of ransomware created in the startup program folder]

  
  [Figure 5 Ransomware Information 3-Desktop Image Created in Temporary File]

  
  [Figure 6 Ransomware Information 3-1 Desktop Image]

Infection results

A guide file is created in each folder location with the name <README.txt>, and each encrypted file is changed to <file name.extension.rizz>.

[Figure 7 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 8 Blocking Message]

Go watch the Rizzler blocking video