[Virus/Malware Activity Report: KiRa Ransomware]

As a security breach believed to be in the form of KiRa ransomware has occurred,
we would like to confirm the situation and provide a warning as follows.

KiRa ransomware

The ransomware in question is called KiRa, and it appears to be changing all files with unique file names, extensions, and 4-digit individual values.

How it works

file version

[Figure 1 Ransomware compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Move ransomware executable file and register startup program

  The ransomware that runs for the first time copies itself to the %AppData%Roaming folder, then runs it again and creates a shortcut link in the startup program location.

  
  [Figure 3 Executable file copied to Roaming folder]

  
  [Figure 4 Static code content that creates a ransomware link in the startup program]

  
  [Figure 5 Actual link file created in startup program folder]

• Disabling backup and security-related functions

  It deletes shadow copies/backup catalogs to make it difficult to recover files after encryption, and disables the Windows restore function and error message output functions.

  
  [Figure 6 Static code for shadow copy deletion and backup catalog deletion commands]

Infection results

Guide files are in each path.is created, and during the encryption process, the files are changed to <file name.extension.4-digit individual unique value>, and when completed, the desktop is changed.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Watch KiRa blocking video