[Virus/Malware Activity Report: Devos Ransomware]

Due to a breach believed to be in the form of Devos ransomware,
we would like to confirm the situation and provide a warning as follows.

Devos ransomware

The ransomware is called Devos and appears to be changing all files with the extension filename.extension.id[private key].[henderson@cock.li].Devos.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• - Execute automatic privilege elevation command

  Register privilege elevation command using AutoElevation vulnerability

  
  [Figure 3 - Executing automatic privilege elevation command]

• Register startup program

  Registers itself in the startup program to automatically re-run when Windows starts.

  
  [Figure 4 Startup program registration]

• Turn off firewall

  Disable firewall settings to make your PC less secure.

  
  [Figure 5 Disable firewall]

• Deleting shadow copies

  Deletes shadow copies to make recovery difficult after infection.

Infection results

Information files are created in each folder with the names info.txt / info.hta, and when encryption is performed, the files are changed to <file name.extension.id[private key].[ henderson@cock.li].Devos> It's possible.

[Figure 6 Infection result 1]

[Figure 7 Infection result 2]

[Figure 8 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

[Figure 10 Block message]

Watch Devos blocking video