[Virus/Malware Activity Report: MarraCrypt Ransomware]

A security breach believed to be in the form of MarraCrypt ransomware has occurred,
so we would like to confirm the situation and provide a warning as follows.

MarraCrypt Ransomware

The ransomware is called MRAC and appears to be changing all files with the extension [newpatek@cock.li].MARRA. MRAC ransomware stops services or forcibly terminates processes in order to infect data in key processes.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Create sys.bat command file / Delete shadow copies / Delete backup-related data

  Ransomware creates sys.bat in the rootUsersPublic location and executes commands to delete shadow copies and backup data.

  
  [Figure 3 File creation]

  
  [Image 4 Deleting shadowoop copies]

• Create onmywrist.bat command file / Delete original ransomware

  After completing the encryption process, create the onmywrist.bat file and run the command to delete the original.

  
  [Figure 5 Command file creation]

  
  [Figure 6 Execution command]

Infection results

An information file is created under the name MARRACRYPT_INFORMATION.HTML in each folder, and a MARRACRYPT_ID_DO_NOT_TOUCH file encrypting the encrypted key value is created in a specific location. When encryption is performed, <encryption file name. The files are changed to [newpatek@cock.li].MARRA>.

[Figure 7 Infection result 1]

[Figure 8 Infection result 2]

[Figure 9 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 10 Block message]

[Figure 11 Blocking details]

Watch the MarraCrypt blocking video