Ransomware Report

You can check the latest ransomware information.

title
Nuke Ransomware
Registration date
2023-06-19
views
8219

[ Nuke ransomware ]

[Virus/Malware Activity Report: Nuke Ransomware]

Due to a breach believed to be in the form of Nuke ransomware,
we would like to confirm the situation and provide a warning as follows.

Nuke Ransomware

The ransomware is called Nuke and has an encrypted name and extension. It appears that all files are being changed with individual random values.

How it works

file version


[Figure 1 File version]

behavioral process

  • Deleting shadow copies

    After encrypting user data, shadow copies are deleted to make data recovery difficult.


    [Figure 2 Command to delete shadow copy using cmd]

  • Register ransom note in startup program

    When encryption is complete, a ransom note is registered in the registry of the startup program so that the user can immediately check the information even after rebooting.


    [Figure 3 Command to register nuke_html in user’s Run (startup program)]


    [Figure 4 Values ​​created in the actual registry]

  • Change wallpaper

    The image binary stored inside the ransomware is stored in Roaming's Nuclear55 folder, the desktop is changed using registry modification, and the previous desktop is saved in the system folder and backed up to the registry.


    [Figure 5 Desktop image creation command]



    [Figure 6 Command to register nuke_html in user’s Run (startup program)]



    [Figure 7 Actual modified value of desktop image]

  • Additional information

    Although Nuke was built in .Net, it was encrypted with LogicNP's Crypto Obfuscatin For .Net, a commercial software.


    [Figure 8 Desktop image creation command]

Infection results

The guidance file is created in each path as !!_RECOVERY_instructions_!!.txt/!!_RECOVERY_instructions_!!.html. When encryption is in progress, the files are changed to <encrypted name and extension .nuclear55> and the desktop is changed when completed. .


[Figure 9 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.


[Figure 10 Block message]

Watch the Nuke blocking video

Previous post
RTM Locker ransomware
next post
Seoul ransomware
List
WhiteDefender Term of Use|Privacy Policy
Everyzone White Defender Co., Ltd. | CEO: Seunggyun Hong|Business registration number: 220-81-67981
Copyright ⓒEveryzone , Inc. All Rights Reserved.|