[Virus/Malware Activity Report: Eternity Ransomware]

In response to a breach believed to be in the form of Eternity ransomware,
we would like to confirm the situation and provide a warning as follows.

Eternity Ransomware

The ransomware in question is called Eternity and appears to be changing all files with the extension .ecrp.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Disable task manager

  Disable Task Manager using Windows security policy.

  
  [Figure 3 Disable task manager]

• network test

  Check the communication status using the ping command.

  
  [Figure 4 Network test]

• Task Scheduler Reservation

  Create a scheduled task so that Eternity ransomware can run periodically.

  
  [Figure 5 Task Scheduler Reservation]

• Deleting shadow copies

  Delete all shadow copies to make recovery of encrypted data difficult.

  
  [Figure 6 Deleting shadow copies]

Infection results

Ransomware copies itself into %AppData%LocalServiceHub and operates after deleting the files in the location where it was first executed. The information file is processed in a way that the ransomware exe directly displays the GUI, and when encryption is performed, the files are changed to <.existing extension.ecrp>.

[Figure 7 Infection result 1]

[Figure 8 Infection result 2]

[Figure 9 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 10 Block message]

[Figure 11 Block message]

Watch Eternity blocking video