[Virus/malware activity reported: Elbie ransomware]

A security breach believed to be in the form of Elbie ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

Elbie ransomware

The ransomware in question is called Elbie, and it appears to be changing all files with the extension existing name.existing extension.id[unique ID].[helprequest@techmail.info].Elbie.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Register startup program

  Copy it from the initial startup location to %AppData%Local, run it again, and register it as a startup program.

  
  [Figure 3 Startup program registration]

  
  [Figure 4 Startup program registration]

• Deleting shadow copies

  Deletes shadow copies to make recovery difficult after infection.

  
  [Figure 5 Deleting shadow copies]

• Disable Windows Firewall

  Disable the firewall to make security vulnerable.

  
  [Figure 6 Disabling Windows Firewall]

Infection results

Guide files are created in each folder with the names info.txt / info.hta, and when encryption is performed, the files are changed to <existing name.extension.id[unique ID].[helprequest@techmail.info].Elbie>. It's possible.

[Figure 7 Infection result 1]

[Figure 8 Infection result 2]

[Figure 9 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 10 Block message]

[Figure 11 Block message]

Watch the Elbie blocking video