[IHA ransomware]

[Virus/Malware Activity Report: IHA Ransomware]

Due to an infringement incident believed to be in the form of IHA ransomware,
we would like to confirm the situation and provide a warning as follows.

IHA ransomware

The ransomware in question is called IHA and appears to be changing all files with file name and extension. IHA.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It was created based on VB .NET (C#) and is a variant of NoCry, keeping the internal project name the same. The executed ransomware copies the ransomware to the startup program folder, checks the debugger by comparing the parent handle and its own handle, checks a specific sandbox debugging program by checking whether SandBoxie DLL is loaded, or checks anyrun through ip-api, etc. dynamically. Debugging prevention technology is applied.

  
  [Figure 3 Project of static code using NoCry name]

  
  [Figure 4 Copy ransomware to startup program folder]

  
  [Figure 5 Static code with several prevention techniques against dynamic debugging]

Infection results

The desktop background is replaced, and the ransomware itself prints a note when encryption is complete. When encrypting, files are changed to <file name.extension.IHA>.

[Figure 4 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 5 Block message]

Go to the IHA blocking video