[Virus/malware activity reported: LIZARD ransomware]

A breach believed to be in the form of LIZARD ransomware has occurred,
so we would like to confirm the situation and provide a warning as follows.

LIZARD ransomware

The ransomware in question is called LIZARD and appears to be changing all files with the extension filename.id[private key].[b1shops@tutanota.com].LIZARD. (Phobos family)

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Windows error recovery notification window and recovery mode

  Considering that exceptions may occur while ransomware is running in the background, stop the error recovery notification window output function and disable Windows recovery mode.

  
  [Figure 3 Windows error recovery notification window and recovery mode]

• startup program

  It registers itself in the startup program to automatically re-run even if encryption fails.

  
  [Figure 4 Startup program]

• Disable Windows Firewall

  Disable firewall-related settings to make your PC's security environment vulnerable.

  
  [Figure 5 Disabling Windows Firewall]

• Check and delete shadow copies

  To make it difficult for users to recover files after encryption, shadow copies are checked through WMI queries and deleted through CMD commands.

  
  [Figure 6 Check shadow copy]

  
  [Figure 7 Deleting shadow copies]

Infection results

Information files are created with the names info.txt / info.hta in each folder, and when encryption is performed, the files are changed to <file name.id[private key].[b1shops@tutanota.com].LIZARD>.

[Figure 8 Infection result 1]

[Figure 9 Infection result 2]

[Figure 10 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 11 Block message]

[Figure 12 Block message]

Watch the LIZARD blocking video