[Virus/malware activity reported: iq200 ransomware]

As a security breach believed to be in the form of iq200 ransomware has occurred,
we would like to confirm the situation and provide a warning as follows.

iq200 ransomware

The ransomware is called iq200 and appears to be changing all files to existing name.existing extension.id-private key.[iq200@tutanota.com].iq20.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Register startup program

  Register the ransomware executable file in the startup registry and folder and set it to run automatically when Windows starts.

  
  [Figure 3 Startup program registration]

• After encryption, users delete files using the CMD command to make it difficult to recover them.

  
  [Figure 4 Check and delete shadow copies]

Infection results

The information file is created under the name mshta.exe in the info.txt and system32 folders on the desktop, and when encryption is performed, the file is saved as <existing name.existing extension.id-private key.[iq200@tutanota.com].iq20>. are changed.

[Figure 5 Infection result 1]

[Figure 6 Infection result 2]

[Figure 7 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

[Figure 9 Block message]

Go watch the iq200 blocking video