We are aware of a security breach that is believed to be in the form of Maga ransomware
. We would like to provide the following information and warnings regarding the situation.

Maga ransomware

The ransomware in question is called Encp and appears to be changing all files to filename.extension.id-8-digit private key.[MAGA24@cyberfear.com].MAGA.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• It is a C++-based ransomware that checks for and terminates specific services and processes related to data. It then copies itself and the ransom note to a specific location (AppData folder / system folder / startup folder), registers itself in the registry of startup programs so that it runs automatically when Windows starts, and deletes shadow copies to make it difficult for the user to recover data when the password is processed.

  
  [Figure 3 Dynamic code 1 to check specific services and processes]

  
  [Figure 4 Dynamic code 2 to check specific services and processes]

  
  [Figure 5 Contents registered in the startup program registry]

Infection results

The guide file is created in each folder location with the name < mshta.exe / MAGA_info.txt >, and each encrypted file is changed to < file name. extension. id-8-digit private key. [MAGA24@cyberfear.com]. MAGA >. After encryption is complete, run the txt note.

[Figure 6 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 7 Blocking Message]

Go watch the Maga blocking video