![]() The scheme below illustrates the file encryption. After the file is encrypted, the key is protected by a combination of Curve25519 elliptic curve AES-128 and appended to the end of the file. This key splits into Chacha20 encryption key ( 0x20 bytes) and n-once ( 0x08) bytes. The ransomware generates an encryption key for each file (0x28 bytes). List of file types avoided by the TargetCompany ransomware List of folders avoided by the TargetCompany ransomware To keep the infected PC working, TargetCompany avoids encrypting certain folders and file types: When this task is complete, the actual encryption begins. IMPORTANT Make sure you remove the malware from. First, every drive is populated with the ransom note file (named RECOVERY INFORMATION.txt). Bitdefender have a free cryptolocker tool to defend these ransomware attacks. ![]() If that drive is valid (fixed, removable or network), the encryption of the drive proceeds. Each drive is checked for the drive type by GetDriveType(). List of processes killed by the TargetCompany ransomwareĪfter these preparations, the ransomware gets the mask of all logical drives in the system using the GetLogicalDrives() Win32 API. Kills some processes that may hold open valuable files, such as databases:.%windir%\sysnative\vssadmin.exe delete shadows /all /quietīcdedit /set recoveryenabled no Removes shadow copies on all drives using this command:.Deletes special file execution options for tools like vssadmin.exe, wmic.exe, wbadmin.exe, bcdedit.exe, powershell.exe, diskshadow.exe, net.exe and taskkil.exe.Assigns the SeTakeOwnershipPrivilege and SeDebugPrivilege for its process.When executed, the ransomware does some actions to ease its own malicious work: Modus Operandi of the TargetCompany Ransomware ![]() For this reason, we recommend that you use the No More Ransom Project and this is where identifying the ransomware infection is useful. VND Techs are now offering Crypto Locker Virus Decrypt
0 Comments
Leave a Reply. |