Analysis by: Cris Nowell Pantanilla
 PLATFORM:

Windows

 OVERALL RISK RATING:
 REPORTED INFECTION:

  • Threat Type: Ransomware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Canal de infecção: Downloaded from the Internet

This Ransomware arrives as a component bundled with malware/grayware packages. It may be manually installed by a user.

  TECHNICAL DETAILS

Tipo de compactação: 34,950 bytes
Tipo de arquivo: Script
Residente na memória: No
Data de recebimento das amostras iniciais: 13 Apr 2017
Carga útil: Modifies files

Arrival Details

This Ransomware arrives as a component bundled with malware/grayware packages.

It may be manually installed by a user.

NOTES:

This ransomware comes bundled with a compromised PS/SLQ developer installer. Once user connects to a database, it will execute the code in the "AfterConnect.sql".

It checks if the database creation date is greater than 1200 days. Then, it creates a backup of data and deletes it.

It will display the the following messages when accessing an affected database:

Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address {BLOCKED}1FXMB2g8JxBVF5T4Aw1Z5JaZ6vrSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail.com, we will let you know how to unlock your database.

  SOLUTION

Mecanismo de varredura mínima: 9.850

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product to delete files detected as Ransom_RUSHQL.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 3

Restore encrypted files from backup.


Did this description help? Tell us how we did.