[ AESRT ransomware ]

[Virus/Malware Activity Reported: AESRT Ransomware]

We are aware of a security breach suspected to be AESRT ransomware and
would like to provide the following information and warning regarding the situation.

AESRT ransomware

The ransomware is called AESRT and appears to be changing the filename, extension, and all other files in the AESRT file.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• Ransomware Behavior Characteristics: The AESRT ransomware, developed in C# .NET, creates the C:Program FilesTempAESRT folder upon initial execution and extracts a wallpaper image and script. After execution, it hides the console window and scans removable USB drives, replacing any .exe files found with its own copies to spread like a worm. Upon infection, it deletes shadow copies via vssadmin and wmic, configures bcdedit to ignore boot failure policies, and removes the backup catalog via wbadmin to prevent system recovery.

  
  [Figure 3: Static code for deleting shadow copies and disabling Windows recovery features and error notifications]

  It disables Task Manager and UAC to prevent user interaction, and adds its path to the “WinlogonUserinit” registry value to ensure persistence so that it automatically runs at boot time.

  
  [Figure 4: Ransomware executable file registered in Winlogon registry]

  
  [Figure 5: Disabled Task Manager (Registry Edit)]

Infection results

The guide file prints its own note after encryption is complete, and each encrypted file is changed to < file name. extension. AESRT >.

[Figure 6 Infection Results]

White Defender response

It also supports real-time automatic restoration of files that were encrypted before WhiteDefender ransomware's malicious actions and blocking.

[Figure 7 White Defender Response]

Watch the AESRT blocking video