[Virus/malware activity reported: Rec_rans ransomware]

In response to a security breach believed to be in the form of Rec_rans ransomware, we would like to
confirm the situation and provide a warning as follows.

Rec_rans ransomware

The ransomware is called Rec_rans and appears to be changing all files with the existing name and existing extension.rec_rans.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Deleting shadow copies

  To make it difficult to recover encrypted data, delete shadow copies using vssadmin.

  
  [Figure 3 Deleting shadow copies]

• Select attack target

  Since ransomware attacks including DRIVE_REMOTE(4) [network drives], damage may spread to other PCs if write permission exists on folders and files shared on the network.

  
  [Figure 4 Selection of attack target]

Infection results

The guide file unlock_here.txt is created in each path, and when encryption is in progress, the files are changed to <existing name.existing extension.rec_rans> and the desktop is changed upon completion.

[Figure 5 Infection result 1]

[Figure 6 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

[Figure 8 Block message]

[Figure 9 Block message]

[Figure 10 Block message]

Watch Rec_rans blocking video