Ransomware Report

You can check the latest ransomware information.

title
Analysis of RCRU 64, a ransomware that increases in value over time
Registration date
2022-08-04
views
18003

[RCRU64 ransomware]

[Virus/malware activity reported: RCRU64 ransomware]

An infringement incident presumed to be in the form of RCRU64 ransomware has occurred, and
we would like to confirm the situation and provide a warning as follows.

How it works

file version

The sample was first uploaded to Virus Total at 2022-05-18 15:13:30 UTC, and the timestamp in the file header is 2022-05-05 03:42:23, which is the most recently built (v14.20) version. . (For Windows XP or higher)


[Figure 1] RCRU64 ransomwre timestamp and file version

Execution location

 When ransomware is executed, a script file is created in the “%SystemDrive%Users\%username%AppData” location.


[Figure 2] Location where the script was created

behavioral process

  • Register task scheduler


    [Figure 3] Registered task scheduler


    [Figure 4] Confirming operation repetition

    t2_svc.bat registered in the task schedule is executed every 6 minutes, t2_svc.bat -> v9_svc.vbs -> h4_svc.bat is sequentially re-executed, and the original file is placed in the startup program location to encourage periodic execution.


    [Figure 5] Place a startup program and encourage it to run periodically

  • Enable network sharing and disable firewall

    Enable network sharing and disable firewalls to spread damage within the network.


    [Figure 6] Network sharing, disabling firewall

  • Deleting shadow copies

    Delete shadow copies to make recovery of user data difficult.


    [Figure 7] Command to delete shadow copies to make recovery difficult

  • Disable UAC

    Also disable User Account Control permissions in the registry to prevent the UAC window from appearing during repeated tasks.


    [Figure 8] Modifying the registry to disable user account permission differences

Infection results

A guide file is created under the name Read_Me!_.txt in each folder, and when encryption is performed, the files are changed to <encrypted file name.extension[ID=random value-Mail=FreedomTeam@mail.ee].random value> .


[Figure 9] Ransom note


[Figure 10] My document with changed extension

White Defender compatible

White Defender Diagnosis: White Defender protects against access to shadow copy data and supports real-time automatic restoration of files that were to be encrypted before blocking.


[Figure 11] Whitedefender detection log

Previous post
Attack distribution method Changed Magniber ransomware trend
next post
Analysis of HelloXD ransomware that disables shadow copies
List
WhiteDefender Term of Use|Privacy Policy
Everyzone White Defender Co., Ltd. | CEO: Seunggyun Hong|Business registration number: 220-81-67981
Copyright ⓒEveryzone , Inc. All Rights Reserved.|