[Virus/Malware Activity Report: T800 Ransomware]

A security breach believed to be in the form of T800 ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

T800 ransomware

The ransomware in question is called T800, and it appears to be changing all files with the extension existing name.existing extension.t800.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Deleting shadow copies

  Deletes shadow copies to make recovery difficult after infection.

  
  [Figure 3 Deleting shadow copies]

• Disable Windows self-restore function

  Disables the self-recovery function built into Windows.

  
  [Figure 4 Disabling Windows self-restore function]

• Register startup program

  Register the original file in the startup program to prevent problems during the infection process.

  
  [Figure 5 Startup program registration]

Infection results

The guidance file is created in each folder with the name !!!HOW_TO_DECRYPT!!!.txt, and when encryption is performed, the files are changed to <existing name.existing extension.t800>.

[Figure 6 Infection result 1]

[Figure 7 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

[Figure 9 Block message]
[Figure 10 Block message]

Go watch the T800 blocking video