Anti-Ransomware - WhiteDefender Report

처음으로security centerRansomware Report

Ransomware Report

You can check the latest ransomware information.

title: Eking ransomware (Phobos series), which encrypts all file data and renders it unusable.

Registration date: 2023-04-03

views: 24938

[Eking ransomware]

[Virus/Malware Activity Report: Eking Ransomware]

An infringement incident presumed to be in the form of Eking ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

Eking ransomware

The ransomware is called Eking and appears to be changing all files with existing name.existing extension.id-[private key].[tolong80@protonmail.ch].eking.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

Turn off network firewall

Disable your personal and public firewall settings to make yourself vulnerable to attackers.

[Figure 3 Disable network firewall]
Register startup program

Register the ransomware executable file in the startup registry and folder and set it to run automatically when Windows starts.

[Figure 4 Startup program registration]
Turn off error notification and recovery features

Disable error notifications that may be issued when ransomware is in progress and disable Windows' own error recovery function.

[Figure 5 Disabling error notification and recovery functions]
Check and delete shadow copies

After encryption, users delete files using the CMD command to make it difficult to recover them.

[Figure 6 Check and delete shadow copies]
Delete Backup Catalog (Windows Server)

Clears all Windows Server backup catalog functions.

[Figure 7 Deleting backup catalog (Windows Server)]

Infection results

The information file is created with the name info.txt on the desktop and info.hta in the desktop folder. When encryption is performed, <existing name.existing extension.id-[private key].[ tolong80@protonmail.ch].eking Files are changed to >.

[Figure 8 Infection result 1]