[Virus/malware activity reported: Garticphone ransomware]

As a security breach believed to be in the form of Garticphone ransomware has occurred,
we would like to confirm the situation and provide a warning as follows.

Garticphone ransomware

The ransomware in question is called Garticphone and appears to be changing all files with file name, extension, and random 4-digit numbers.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It was built based on .NET (C#) and is identical to the way it operates in the Chaos series. After the first run, it is re-run as svchost.exe in Roaming, and a local url file for that location is created in the startup program folder. By default, the C drive attacks the library folder, and all additional drives other than that are subject to scanning. It makes it difficult to restore existing files after an attack, such as deleting shadow copies using the cmd command / disabling the Windows recovery mode and program error notification window / deleting the backup catalog of the Windows server.

  
  [Figure 3 Ransomware file svchost.exe copied to Roaming folder]

  
  [Figure 4 Static code for creating a shortcut URL in the startup program folder]

  
  [Figure 5 Shortcut URL file created in the startup program folder]

  
  [Figure 6 Unused startup program registry registration function that exists inside static code]

  
  [Figure 7 Multiple restore prevention commands using the cmd command]

Infection results

The desktop is changed, and read_it.txt is created in each folder location. When encrypting, files are changed to <file name.extension.4 random digits>.

[Figure 8 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

Watch Garticphone blocking video