Due to a security breach believed to be in the form of Slime ransomware,
we would like to confirm the situation and provide a warning as follows.

Slime ransomware

The ransomware in question is called Slime and appears to be changing all files with the file name and extension .slime.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It was created based on C# .Net. It is a Chaos-type ransomware that copies the executable file to the AppData folder and re-executes it when executed. Create an executable link for the ransomware in the startup program folder within AppData and proceed with encryption. Among the internal code functions of the Chaos family, the recovery prevention functions (shadow copy/Windows recovery/backup catalog, etc.) are disabled and the contents of all drives except the C drive and the library folder of the user account are encrypted.

  
  [Figure 3 Dynamic code that creates a ransomware execution link in the startup program folder]

  
  [Figure 4 Ransomware link file created in startup program folder]

  
  [Figure 5 Dynamic code that creates a ransomware execution link in the startup program folder]

  
  [Figure 6 Dynamic code that creates a ransomware execution link in the startup program folder]

Infection results

The guidance file is created as <read_it.txt> in each path, and the files are changed to <file name.extension.slime> when encryption is performed.

[Figure 5 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 6 Block message]

Watch the Slime blocking video