Ransomware Report

You can check the latest ransomware information.

title
NewWave Ransomware
Registration date
2024-02-13
views
4707

[NewWave Ransomware]

[Virus/Malware Activity Report: NewWave Ransomware]

A breach believed to be in the form of NewWave ransomware has occurred,
so we would like to confirm the situation and provide a warning as follows.

NewWave Ransomware

The ransomware in question is called NewWave and has a file name.extension. It appears that all files are being changed with newwave.

How it works

file version


[Figure 1 Ransomware executable file compiler information]


[Figure 2 File information in window properties]

Ransomware operation characteristics

  • It was built based on .NET VB and is one of the variants of Thanos ransomware. Because it is obfuscated with Smart Assembly, the contents of the static code are difficult to identify, and commands to terminate processes related to specific data and disable services are used. Among security programs, it removes Raccine's registered registers and schedules and activates network sharing-related settings, allowing the damage to spread further. Search and delete shadow copies using Powershell and delete objects containing drive-related and backup-related content located in the root driver. Additionally, the ransom txt is registered in the startup program icon.


    [Figure 3 Obfuscated static code]


    [Figure 4 Dynamic code for disabling and other commands for specific services]


    [Figure 5 Dynamic code for forced termination of a specific process]


    [Figure 6 Dynamic code for register and schedule deletion of Racccine products]


    [Figure 7 Dynamic code that activates network sharing-related functions]


    [Figure 8 Dynamic code for searching and deleting shadow copies using Powershell]


    [Figure 9 Dynamic code that deletes specific files in the root of each driver]


    [Figure 10 Ransom note link created in startup program folder]

Infection results

The information file is created as <RESTORE_FILES_INFO.txt> in each path, and the files are changed to <filename.extension.newwave> during encryption.


[Figure 11 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.


[Figure 12 Block message]

Watch the NewWave blocking video

Previous post
Abyss ransomware
next post
SNet ransomware
Everyzone White Defender Co., Ltd. | CEO: Seunggyun Hong|Business registration number: 220-81-67981
Copyright ⓒEveryzone , Inc. All Rights Reserved.|