[Virus/Malware Activity Report: Invader Ransomware]

A security breach believed to be a form of Invader ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

Invader ransomware

The ransomware is called Invader and appears to be changing all files with the file name and extension.invader.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Obfuscate executable files and use fixed key values

  It was created during the .Net VB period, and a commercially available obfuscation function was applied to make it difficult for other users to see the inside. It does not attack additional dryers, and only targets user libraries and OnDrive storage locations. Unlike ransomware, which uses a random value and then transmits the key value to the attacker's server, it only stores the read file value as a reversed Base64 value. There is no ransom note, and with a public domain specified on the desktop, it seems likely that the attack will target a specific company rather than be randomly distributed using general users.

  
  [Figure 3 Internal code obfuscated (left) and after decryption (right)]

  
  [Figure 4 Internally obfuscated static code]

  
  [Figure 5 Static code attacking user libraries and OnDrive]

  
  [Figure 6 Exception-handled extension and encryption static code]

  
  [Figure 7 Because it is saved as Base64, the Hex value is not saved in a normal file format]

Infection results

Notes do not exist separately, and related content is located on the changed desktop. When encrypting, files are changed to <file name.extension.invader>.

[Figure 8 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

Watch the Invader blocking video