[Virus/Malware Activity Report: Encoded Ransomware]

A security breach believed to be in the form of Encoded ransomware has occurred,
so we will confirm the situation and provide a warning as follows.

Encoded ransomware

The ransomware is called Encoded and has a filename.extension. It appears that all files are being changed to ENCODED.

How it works

file version

[Figure 1 Compiler information compressed with ransomware UPX]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Compress executable file and check duplicate execution

  The executable file is compressed with UPX and uses a mutex internally to handle duplicate execution. It has been modified and is still used in attacks, but since it is ransomware that was confirmed in the early part of the decade, its internal implementation is simpler than that of ransomware created these days.

  
  [Figure 3 Compressed executable file and unzipped file]

  
  [Figure 4 Internal decompiled static code]

Infection results

A HOW TO DECRYPT FILES.txt file is created on the desktop, and when encryption is performed, the desktop is changed before changing the files to <file name.extension.ENCODED>.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Go see the Encoded blocking video