Upon infected, correspondence is tricky and needs a lot of effort to revert its own status, therefore, general users need to be careful on surfing internet.
Financial purpose malicious wares with using various techniques are prevalent these days, and can cause various damages.
2. Spreading path and symptoms of infection
This malicious file has been being spread all over the world. Although visible damage hasn't been reported so far in South Korea, this malicious file can infect all over the world and can show same page.
Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.
Downloaded file is disguised as a video file.
General users can be easily seduced by this social engineering technique.
* Comparison MBR between before/after infected
In the previous ransomwares, once infected, it had changed modified MBR to original MBR. But lately found ransomware doesn't modify unlike previous versions.
"System exit" Window can appear on executing downloaded malicious file.
* System Exit status
This system exit status was occurred by accessing kernel mode on certain function.
Follow figure show the structure.
PC will be rebooted after "3 seconds" of showing system exit Window. All we can do is just seeing.
Then window for inputting certain code will be opened.
User can only input text field and cannot use rest of the window. To use PC normally, it requires certain valid code, which will be given after sending certain amount of money to this Russian cellphone number(9872701688).
3. How to prevent
Ransomware will let user know untruth information like "All data is encrypted. or MBR area was destroyed."
In the company, or some users who are urgent for using his/her PC just follow the guideline and send money.
With its malicious feature, various variants can be emerged. To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.