You can check the latest ransomware information.
[Yashma ransomware]
[Virus/malware activity reported: Yashma ransomware]
In response to a breach believed to be in the form of Yashma ransomware,
we would like to confirm the situation and provide a warning as follows.
Yashma ransomware
The ransomware in question is called Yashma and appears to be changing all files with existing names, existing extensions, and individual random values.
How it works
file version
[Figure 1 File version]
[Figure 2 File properties]
behavioral process
Re-execute and register startup program after changing execution location
Copy it from the initial execution location to the Roaming folder, change the name (svchost.exe), and then run it again, creating a link file for the executable file in the startup program.
[Figure 3 Executable file copied to Roaming folder and contents of svchost.exe stored in internal variables]
[Figure 4 Link and internal processing code created in the startup program folder location]
Disabling Windows recovery, backup and security features
To make it difficult to recover data once the ransomware infection is complete, use the cmd command to delete shadow copies and disable Windows recovery-related functions. For the server version, also delete the security catalog. Additionally, issue a stop command to backup-related services and disable Task Manager.
[Figure 5 cmd commands stored internally]
[Figure 6 List of targets to stop services]
[Figure 7 Task Manager deactivation value and error window that appears when running Task Manager]
Attack target selection and exception handling
All drives are targeted, but certain folders within SystemDirectory (C drive) are excluded.
[Figure 8 Exception handled objects]
[Figure 9 Targeted extensions]
Infection results
The information file read_it.txt is created in each path, and when encryption is performed, the files are changed to <existing name. existing extension. individual random value> and the desktop is changed when completed.
[Figure 10 Infection results]
White Defender compatible
It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.
[Figure 11 Block message]