[Virus/Malware Activity Report: WIN Ransomware]

A security breach believed to be in the form of WIN ransomware has occurred,
so we will confirm the situation and provide a warning as follows.

WIN ransomware

The ransomware is called WIN and has an existing name and an existing extension. It appears that all files are being changed with id[unique ID].[technobit@keemail.me].WIN.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Turn off network firewall

  Disable your firewall settings to make yourself vulnerable to external threats.

  
  [Figure 3 Disable network firewall]

• Register startup program

  Register the ransomware executable file in the startup registry and folder and set it to run automatically when Windows starts.

  
  [Figure 4 Startup program registration]

• Check and delete shadow copies

  After encryption, users delete files using the CMD command to make it difficult to recover them.

  
  [Figure 5 Checking and deleting shadow copies]

Infection results

Information files are created as info.txt / info.hta in each path, and when encryption is performed, the files are changed to <existing name.existing extension id[unique ID].[technobit@keemail.me].WIN>.

[Figure 6 Infection result 1]

[Figure 7 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

[Figure 8 Block message]

[Figure 9 Block message]

Go to WIN blocking video