[Virus/Malware Activity Report: Java Ransomware]

In response to an infringement incident believed to be in the form of Java ransomware,
we would like to confirm the situation and provide a warning as follows.

Java Ransomware

The ransomware is called Java and appears to be changing all files with the existing name and extension.java.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Ransomware execution using task schedule

  Re-run the ransomware using Task Scheduler for elevated privileges.

  
  [Figure 3 Ransomware execution using task schedule]

• Check and delete shadow copies

  After encryption using the vssadmin command, delete the file using the CMD command to make it difficult for the user to recover the file.

  
  [Figure 4 Check shadow copy]

Infection results

The guide file is FILES ENCRYPTED.txt in each path or mshta.exe in the system32 folder, and when encryption is performed, the files are changed to <old name.old extension.java>.

[Figure 5 Infection result 1]

[Figure 6 Infection result 2]

[Figure 7 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

[Figure 9 Block message]

[Figure 10 Block message]

Go to the Java blocking video