[LostInfo ransomware]

[Virus/Malware Activity Report: LostInfo Ransomware]

In response to a breach believed to be in the form of LostInfo ransomware,
we would like to confirm the situation and provide a warning as follows.

LostInfo ransomware

The ransomware is called LostInfo and appears to be changing all files: filename.extension.{personalUUID}.lostinfo.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is a C++-based ransomware that checks for shadow copies using the IWbem service. Ransomware waits in the background even after encryption is complete and has a hidden GUI. However, in the GUI, there is no decryption function other than the information of the encrypted files, and it appears that the purpose of the attack is for the hacker to check the contents after attacking a specific target, not a random target.

  
  [Figure 3 Checking shadow copies during dynamic operation]

  
  [Figure 4 GUI window creation during dynamic execution]

  
  [Figure 5 Showing the hidden GUI]

Infection results

The information file is created with the name <Restore.txt> in each folder location, and each encrypted file is changed to <file name.extension.{personalUUID}.lostinfo>.

[Figure 6 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 6 Block message]

Watch LostInfo blocking video