This Trojan.Ransomcrypt.D (http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2) is the variant.
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516
It uses the Microsoft Encrypting File System (EFS) against you. The Encrypting File System. http://technet.microsoft.com/en-us/library/cc700811.aspx
CIPHER commands. http://ss64.com/nt/cipher.html
Encrypting and decrypting from the command line. You can use the cipher command to encrypt and decrypt data at the command line, in individual directories or in batches.
http://www.techrepublic.com/article/use-cipherexe-for-command-line-encryption/
Cipher.exe Security Tool for the Encrypting File System. http://support.microsoft.com/kb/298009
Allows a user or administrator to display or alter the encryption of files. In addition to encrypting or decrypting a file or folder, Cipher can be used to update the file encryption keys or the keys of the data recovery agent (DRA) should there be a change in the data recovery policy. http://technet.microsoft.com/en-us/library/cc736602(v=ws.10).aspx
via Bleeping Computer Last 20 Posts http://www.bleepingcomputer.com/forums/t/501540/ransomcrypt-dirtydecryptexe-uses-efs/
Aucun commentaire:
Enregistrer un commentaire