[Virus/malware activity reported: Cylance ransomware]

Due to a breach believed to be in the form of Cylance ransomware,
we would like to confirm the situation and provide a warning as follows.

Cylance ransomware

The ransomware is called Cylance and appears to be changing all files with the existing name and extension. Cylance.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Ransomware execution using task schedule

  Re-run the ransomware using Task Scheduler for elevated privileges.

  
  [Figure 3 Ransomware execution using task schedule]

• Check and delete shadow copies

  Use the wmi command to check for the existence of shadow copies, and delete them using the CMD command to make it difficult for users to recover files after encryption.

  
  [Figure 4 Check shadow copy]

  
  [Figure 5 Shadow deletion]

Infection results

The information file is created under the name CYLANCE_README.txt in each path, and when encryption is performed, the files are changed to <existing name.existing extension.Cylance>.

[Figure 6 Infection result 2]

[Figure 7 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

[Figure 9 Block message]

Watch the Cylance blocking video