Ransom.Win32.SODINOKIBI.THGAOAIA

2019年8月16日

解析者: Warren Adam Sto. Tomas

別名:

Trojan-Ransom.Sodinokibi (Ikarus)

プラットフォーム:

Windows

危険度:

ダメージ度:

感染力:

感染確認数:

情報漏えい:

マルウェアタイプ:
身代金要求型不正プログラム（ランサムウェア）
破壊活動の有無:
なし
暗号化:
はい
感染報告の有無 :
はい

概要

感染経路インターネットからのダウンロード, 他のマルウェアからの作成

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

詳細

ファイルサイズ 163,840 bytes

タイプ EXE

メモリ常駐なし

発見日 2019年5月30日

ペイロード画像の表示, プロセスの強制終了, 情報収集, URLまたはIPアドレスに接続, メッセージボックスの表示, ファイルの暗号化

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のファイルを作成します。

{encrypted folder}\{random characters}.lock -> marker for encrypted folders
%User Temp%\{random characters}.bmp -> ransom wallpaper
{encrypted folder}\{appended ransom extension}-readme.txt -> ransom note

(註：%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。)

マルウェアは、以下のプロセスを追加します。

vssadmin.exe Delete Shadows /All /Quiet -> deletes shadow copies
bcdedit /set {default} recoveryenabled No -> disables startup repair
bcdedit /set {default} bootstatuspolicy ignoreallfailures -> disables windows error recovery

マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。

Global\D382D713-AA87-457D-DDD3-C3DDD8DFBC96

他のシステム変更

マルウェアは、以下のレジストリキーを追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\recfg

マルウェアは、インストールの過程で、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
pk_key = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
sk_key = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
0_key = {hex values}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
rnd_ext = {appended ransom extension}

HKEY_LOCAL_MACHINE\SOFTWARE\recfg
stat = {hex values}

マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。

プロセスの終了

マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。

mysql.exe

情報漏えい

マルウェアは、以下の情報を収集します。

Computer name
User name
Workgroup
Processor
Operating System
System Architecture

情報収集

マルウェアは、HTTPポスト

{BLOCKED}stdelray.com

{BLOCKED}s.com

{BLOCKED}ndsight.info

{BLOCKED}bs.com

{BLOCKED}pt.com

{BLOCKED}ors.com

{BLOCKED}entuan.com

{BLOCKED}r.com

{BLOCKED}enartwalk.org

{BLOCKED}ov.com

{BLOCKED}uppe.ch

{BLOCKED}rime.com

{BLOCKED}abalhos.com

{BLOCKED}emmobil.com.tr

{BLOCKED}mputers.com

{BLOCKED}shstudio.co.uk

{BLOCKED}terroristw

{BLOCKED}consultingcompany.com

{BLOCKED}le.org

{BLOCKED}a.info

{BLOCKED}ign.com

{BLOCKED}um.com

{BLOCKED}edeyecare.com

{BLOCKED}ed-removals.co.uk

{BLOCKED}e-refle.com

{BLOCKED}a.com

{BLOCKED}rejserallinclusive.dk

{BLOCKED}emsehondenschool.be

{BLOCKED}assemble.fr

{BLOCKED}who-aixenprovence.fr

{BLOCKED}twentytwenty.com

{BLOCKED}collectivites.com

{BLOCKED}rm.dk

{BLOCKED}rismocastagneto.it

{BLOCKED}oftladders.co.uk

{BLOCKED}ge.com

{BLOCKED}ublishing.co.uk

{BLOCKED}viceunlimited.com

{BLOCKED}ourbarrier.com

{BLOCKED}gofis.com

{BLOCKED}riskcenter.se

{BLOCKED}-safaris.com

{BLOCKED}aroofingllc.com

{BLOCKED}remote.com

{BLOCKED}kniksipil.com

{BLOCKED}aner.fr

{BLOCKED}e.com

{BLOCKED}e.co

{BLOCKED}nzel.de

{BLOCKED}unindo.com

{BLOCKED}entalcare.com

{BLOCKED}necampaign.com

{BLOCKED}srassismus-entknoten.de

{BLOCKED}dwifery.com

{BLOCKED}us.com

{BLOCKED}berie.com

{BLOCKED}deboise.com

{BLOCKED}ntatto.net

{BLOCKED}dc.com

{BLOCKED}o.net.au

{BLOCKED}lecompte.wordpress.com

{BLOCKED}llezaysalud.com

{BLOCKED}zac.com

{BLOCKED}or.com

{BLOCKED}attswisswatches.ch

{BLOCKED}luchesi.it

{BLOCKED}skildegaard.dk

{BLOCKED}yezstripclub.com

{BLOCKED}ka-schwarz.com

{BLOCKED}mirrorus.com

{BLOCKED}food-online.de

{BLOCKED}ion-pro.co.uk

{BLOCKED}sregisteret.no

{BLOCKED}mus.com

{BLOCKED}a.it

{BLOCKED}cademy.it

{BLOCKED}a.ac

{BLOCKED}sta.de

{BLOCKED}erpension.com

{BLOCKED}conseils.fr

{BLOCKED}eck.co.za

{BLOCKED}nmice.com

{BLOCKED}i.eus

{BLOCKED}gcleaningnyc.com

{BLOCKED}e.pl

{BLOCKED}apitalforvaltning.dk

{BLOCKED}k.nl

{BLOCKED}tgallery.jp

{BLOCKED}ffing.com

{BLOCKED}g.fr

{BLOCKED}raphic.com

{BLOCKED}rkomon.com

{BLOCKED}a.nl

{BLOCKED}up.it

{BLOCKED}ves-sur-vareze.fr

{BLOCKED}praxisklinik-rostock.de

{BLOCKED}pel.ro

{BLOCKED}amlast.de

avis.{BLOCKED}a.it

{BLOCKED}ninthedesert.com

{BLOCKED}ss163.ru:443

{BLOCKED}log.de

{BLOCKED}hauri.com

{BLOCKED}pain.com

{BLOCKED}love.org:443

{BLOCKED}spiritualtamara.com

{BLOCKED}ycanas.com

{BLOCKED}s.com

{BLOCKED}erwork.eu

{BLOCKED}b.ch

{BLOCKED}tting-hk.helpergo.co

{BLOCKED}lics.in

{BLOCKED}flot.ru

{BLOCKED}a.ac

{BLOCKED}a.sk

{BLOCKED}ismyyoga.com

{BLOCKED}rl.co.za

{BLOCKED}mbak.com

{BLOCKED}tdistinctives.org

{BLOCKED}amcfadyenjewelry.com

{BLOCKED}entistry.com

{BLOCKED}nancialservices.com

{BLOCKED}ienden.nl

{BLOCKED}reelite.com

{BLOCKED}toirs.org

{BLOCKED}s.info

{BLOCKED}y.com

{BLOCKED}ivingschool.com.au

{BLOCKED}-traveller.com

{BLOCKED}a.af

{BLOCKED}iniacademy.org

{BLOCKED}oripa.be

{BLOCKED}iz.com

{BLOCKED}-partner.de

{BLOCKED}llp.com

{BLOCKED}tter.nl

{BLOCKED}edical.de

{BLOCKED}ce.com

bg.{BLOCKED}in.pl

{BLOCKED}a.com

{BLOCKED}uck.de

{BLOCKED}s.dk

{BLOCKED}eflybilletter.dk

{BLOCKED}ars.net

{BLOCKED}art.com

{BLOCKED}tify.ai

{BLOCKED}lacemag.com

{BLOCKED}anvulpen.nl

{BLOCKED}t.fr

{BLOCKED}optic.com

{BLOCKED}p.com

{BLOCKED}kevision.com

{BLOCKED}rinefoundation.com

{BLOCKED}dgeheritage.com

{BLOCKED}nreich-brilon.de

{BLOCKED}pure-impulse.com

{BLOCKED}50ans.com

{BLOCKED}ndchallenger.com

{BLOCKED}chversicherung.info

{BLOCKED}a.de

{BLOCKED}beachassociation.com

{BLOCKED}gwheel.com

{BLOCKED}slivinglively.com

{BLOCKED}ier.org

{BLOCKED}endsgoal.site

{BLOCKED}ornfastigheter.se

{BLOCKED}-immobilien.de

{BLOCKED}uckrecords.com

{BLOCKED}ebettertolivebetter.com

{BLOCKED}cave.com

{BLOCKED}hillgroup.com

{BLOCKED}ehope.org

{BLOCKED}oepke.eu

{BLOCKED}neosteopathic.com.au

{BLOCKED}lisoep.nl

{BLOCKED}woodblog.com

{BLOCKED}mmobilier.com

{BLOCKED}t.online

{BLOCKED}ucious.com

{BLOCKED}enter-butz

{BLOCKED}ddyblog.com

{BLOCKED}nnikitav.0

{BLOCKED}deco.site

{BLOCKED}n.com

{BLOCKED}itare.com

{BLOCKED}elem.de

{BLOCKED}ss-basic.de

{BLOCKED}akers.com

{BLOCKED}o.pl

{BLOCKED}0.com

{BLOCKED}w-okc.com

{BLOCKED}glaforetdetesse.com

{BLOCKED}ce.com

{BLOCKED}escalade.com

{BLOCKED}10.it

{BLOCKED}ndloyalty.com

{BLOCKED}-york.com

{BLOCKED}nfriedlander.com

{BLOCKED}n.sparen-it.de

{BLOCKED}arosa33.it

{BLOCKED}depositors.com

{BLOCKED}seurdetran

{BLOCKED}p-mag.com

{BLOCKED}ng.com

{BLOCKED}erts.de

{BLOCKED}ec.com

{BLOCKED}yvisionglobal.com

{BLOCKED}ters.com

{BLOCKED}019.com

{BLOCKED}fhopeeurope.eu

{BLOCKED}sfrancis.photos

{BLOCKED}ttelhanna.com

{BLOCKED}rlin.de

{BLOCKED}rchatterchatter.com

{BLOCKED}arehousespace.com

{BLOCKED}sy.net

{BLOCKED}consulting.net

{BLOCKED}anne.com

{BLOCKED}ianscholz.de

{BLOCKED}opherhannan.com

{BLOCKED}rance.fr

{BLOCKED}natiphotocompany.org

{BLOCKED}citydj.com

{BLOCKED}t-diagramz.com

{BLOCKED}apes-art.com

{BLOCKED}gslife.com

{BLOCKED}epamblog.com

{BLOCKED}akilian.de

{BLOCKED}oomequipment.ie

{BLOCKED}foto.dk

{BLOCKED}-beethovenstrasse-ag.ch

{BLOCKED}d.com

{BLOCKED}w.com

{BLOCKED}reneuracademy.com

{BLOCKED}etennis.info

{BLOCKED}d-shelves.com

{BLOCKED}rescritor.com

{BLOCKED}er-place.de

{BLOCKED}tactodirecto.com

{BLOCKED}mobile.fr

{BLOCKED}n.nl

{BLOCKED}auses.org

{BLOCKED}marketing.com

{BLOCKED}acionrr.com

{BLOCKED}-avenue.co.il

{BLOCKED}p.de

{BLOCKED}ngalegacy.com

{BLOCKED}on.com

{BLOCKED}tone.co.nz

{BLOCKED}n.de

{BLOCKED}ood.com

{BLOCKED}loons.com

{BLOCKED}p.com

{BLOCKED}ediation.org

{BLOCKED}c.org

{BLOCKED}iscountguns.com

{BLOCKED}roasts.com

{BLOCKED}any.com

{BLOCKED}romote.de

{BLOCKED}u.futbol

{BLOCKED}ranch.com

{BLOCKED}i.be

{BLOCKED}visphotos.com

{BLOCKED}townhouse.com

{BLOCKED}e-styling.nl

{BLOCKED}u.com

{BLOCKED}n.com

{BLOCKED}ia.fi

{BLOCKED}tionhub.com

{BLOCKED}gfoodie.nl

{BLOCKED}verschuur.com

{BLOCKED}circle.com

{BLOCKED}labor-luenen.de

{BLOCKED}rage.com

{BLOCKED}wynkoopdentist.com

{BLOCKED}empelking.de

{BLOCKED}gandoprogramas.com

{BLOCKED}image.ae

{BLOCKED}s.be

{BLOCKED}s.de

{BLOCKED}an.ru

{BLOCKED}ie-weitram

{BLOCKED}i.store

{BLOCKED}niversiteit.nl

{BLOCKED}mo-agentur.de

{BLOCKED}ambulancealkmaar.nl

{BLOCKED}le-elite.de

{BLOCKED}rp.com

{BLOCKED}inkdetroit.com

{BLOCKED}ique.com

{BLOCKED}apernambuco.com

{BLOCKED}fresh.com

{BLOCKED}iestas.com.es

{BLOCKED}a.com

{BLOCKED}a.co.uk

{BLOCKED}foundation.org

{BLOCKED}limitedguide.com

{BLOCKED}e-des-pothiers.com

{BLOCKED}vefurniture.com

{BLOCKED}guides.eu

{BLOCKED}eniste.com

{BLOCKED}nhweeks.com

{BLOCKED}oiceclub.org

{BLOCKED}onpediatrics.com

{BLOCKED}makersheerenveen.nl

{BLOCKED}a.de

{BLOCKED}p.com

{BLOCKED}er.nl

{BLOCKED}x.pro

{BLOCKED}insteadwingchun.com

{BLOCKED}ntal.ae

{BLOCKED}eges.com

{BLOCKED}e.co

{BLOCKED}ennedymacfoy.com

{BLOCKED}ors.org

{BLOCKED}encyconsulting.es

{BLOCKED}u.fr

{BLOCKED}danismanlik.com

{BLOCKED}icianul.com

{BLOCKED}x.is

{BLOCKED}ramika-shop.com.ua

{BLOCKED}accreative

{BLOCKED}snhlstenden.com

{BLOCKED}ter-p.net

{BLOCKED}srealms.net

{BLOCKED}rvation.com

{BLOCKED}sbit-rp.ru

{BLOCKED}qca.com

{BLOCKED}tor-durban.com

{BLOCKED}sk.com

{BLOCKED}rlogerie.com

{BLOCKED}panart.com

{BLOCKED}riversforwindows.com

{BLOCKED}p.design

{BLOCKED}opolitica.com

{BLOCKED}z.de

{BLOCKED}icsport.eu

{BLOCKED}svirtualesexitosos.com

{BLOCKED}hacademy.org

{BLOCKED}a.nl

{BLOCKED}mes.com

{BLOCKED}tordallas.com

{BLOCKED}iareloj.com

{BLOCKED}ywizuk.com

{BLOCKED}n.ru

{BLOCKED}i.com.au

{BLOCKED}nline.com

{BLOCKED}star.co

{BLOCKED}zine.ru

{BLOCKED}tytitleoregon.com

{BLOCKED}titutionalfunds.com

{BLOCKED}go.eu

{BLOCKED}ome.co.uk

{BLOCKED}pace.com

{BLOCKED}sblenderstory.com

{BLOCKED}epair.com

{BLOCKED}a.se

{BLOCKED}oordental.com

{BLOCKED}ingsun.org

{BLOCKED}uzrewards.com

{BLOCKED}ontur.com

{BLOCKED}rverein-vatterschule.de

{BLOCKED}imes.ru

{BLOCKED}linslimeffect.net

{BLOCKED}ittard.nl

{BLOCKED}itores.com

{BLOCKED}ubna.com

{BLOCKED}ays.com

{BLOCKED}yballs.com

{BLOCKED}hift.it

{BLOCKED}oll.com

{BLOCKED}ids.com

{BLOCKED}-international.es

{BLOCKED}pro.com

{BLOCKED}sale.com

{BLOCKED}lmar.se

{BLOCKED}dia.com

{BLOCKED}x.de

{BLOCKED}d.ru

{BLOCKED}networking.com

{BLOCKED}herapierijnmond.nl

{BLOCKED}ainc.com

{BLOCKED}yals.com

{BLOCKED}uklaw.com

{BLOCKED}e-couture.com

{BLOCKED}partner.pl

{BLOCKED}burgcottage.com

{BLOCKED}asters.com

{BLOCKED}e-du-web.com

{BLOCKED}1.de

{BLOCKED}iatonaggelon.gr

{BLOCKED}muncey.com

{BLOCKED}b.software

{BLOCKED}h.ae

{BLOCKED}uck.de

{BLOCKED}-pflanzenparadies.de

{BLOCKED}erschueren.be

{BLOCKED}compliancenews.com

{BLOCKED}-migrate.com

{BLOCKED}skills.pt

go.{BLOCKED}ni.ch

{BLOCKED}dleadership.org

{BLOCKED}nger-teppi

{BLOCKED}ublandgoednieuwkerk.nl

{BLOCKED}yscustom.com

{BLOCKED}rbalhealth.com

{BLOCKED}deep.com

{BLOCKED}studio-visuell.de

{BLOCKED}nariaregional.com

{BLOCKED}cafeblog.wordpress.com

{BLOCKED}eenbiomedservices.com

{BLOCKED}fficespaces.net

{BLOCKED}yetattoo.com

{BLOCKED}ider.nl

{BLOCKED}dealers.ru

{BLOCKED}xin10.com

{BLOCKED}retecoatings.com

{BLOCKED}b.fr

{BLOCKED}d.com

{BLOCKED}chnologies.net

{BLOCKED}totaal.nl

{BLOCKED}lim.com

{BLOCKED}an-silkeborg.dk

{BLOCKED}atering.de

{BLOCKED}ublog.wordpress.com

{BLOCKED}streetspineclinic.com

{BLOCKED}urniture.com

{BLOCKED}andliebe.de

{BLOCKED}steelbuilding.com

{BLOCKED}rnsretirement.co.uk

{BLOCKED}lbygg.no

{BLOCKED}m.com

{BLOCKED}ymarketing.com

{BLOCKED}opping.com

{BLOCKED}land-oaze.nl

{BLOCKED}see-buhne11.de

{BLOCKED}uckwreckers.com.au

{BLOCKED}m.com

{BLOCKED}s.com

{BLOCKED}ne.de

{BLOCKED}isor.dk

{BLOCKED}alitytrain

{BLOCKED}etdelsindians.es

{BLOCKED}tay.com

{BLOCKED}gbangladesh.net

{BLOCKED}antra.com

{BLOCKED}urbo.de

{BLOCKED}aneselesbian.com

{BLOCKED}ofwa.com

{BLOCKED}iruses.org

{BLOCKED}anitas.dk

{BLOCKED}tyle.co.uk

{BLOCKED}ldt.dk

{BLOCKED}nforensic.com

{BLOCKED}hnologies.net

{BLOCKED}de.com

{BLOCKED}t99.com

{BLOCKED}beton.nl

{BLOCKED}us.com

{BLOCKED}god.be

{BLOCKED}ullcircle.com

{BLOCKED}istoria.com

{BLOCKED}e-entertainment.com

{BLOCKED}ekithomes.co.nz

{BLOCKED}ku-sozoku.com

{BLOCKED}izadvocates.org

{BLOCKED}tar.com

{BLOCKED}osextras.online

{BLOCKED}nf.com

{BLOCKED}urrection.com

{BLOCKED}isions-id.com

{BLOCKED}tiongames-brabant.nl

{BLOCKED}e.agency

{BLOCKED}inkone.com

{BLOCKED}alresults.com

{BLOCKED}estdigital.com

{BLOCKED}a.dk

{BLOCKED}r.com

{BLOCKED}ine.ru

{BLOCKED}idigitali.com

{BLOCKED}es.dk

{BLOCKED}cu.com

{BLOCKED}ekzema.nl

{BLOCKED}sgarcianoto.com

{BLOCKED}g.me

{BLOCKED}ybak.com

{BLOCKED}uu.net

{BLOCKED}illiamspainting.com

{BLOCKED}okus.com

{BLOCKED}est.com

{BLOCKED}rardon.com

{BLOCKED}genstern.com

{BLOCKED}terim-and-

{BLOCKED}nitureco.com

{BLOCKED}ter.com

{BLOCKED}nti.com

{BLOCKED}onalessandro.com

{BLOCKED}sultancy.com

{BLOCKED}ttmediations.com

{BLOCKED}hisme.fr

{BLOCKED}onbooks.com

{BLOCKED}inezilustrador.com

{BLOCKED}i.com.ng

{BLOCKED}re.com

{BLOCKED}moveamerica.org

{BLOCKED}en.com

{BLOCKED}nweekly.com

{BLOCKED}onmingmanning.com

{BLOCKED}y.hu

{BLOCKED}ooley.com

{BLOCKED}nblaetz.de

{BLOCKED}usktherapy.com

{BLOCKED}oundthecornerpetsit.com

{BLOCKED}are.com

{BLOCKED}somnium.de

{BLOCKED}njames.com

{BLOCKED}iterviertel.com

{BLOCKED}ndonesia.com

{BLOCKED}inealy.com

{BLOCKED}te.com

{BLOCKED}h.com

{BLOCKED}gatton.com

{BLOCKED}ordon.com

{BLOCKED}n.fr

{BLOCKED}allum.com

{BLOCKED}iedjeszingen.nl

{BLOCKED}alprep.academy

{BLOCKED}-prijs.nl

{BLOCKED}rdjournal.com

{BLOCKED}x.com

{BLOCKED}tickets.com

{BLOCKED}beaute-nani.com

{BLOCKED}vent.ru

{BLOCKED}dress.com

{BLOCKED}sory-opravy.com

{BLOCKED}t-m.ru

{BLOCKED}o.com

{BLOCKED}-vochtbestrijding.be

{BLOCKED}abrawijaya.com

{BLOCKED}anboennelykke.dk

{BLOCKED}old-sjaelland.dk

{BLOCKED}rsnapsen.dk

{BLOCKED}s72.com

{BLOCKED}o.pro

{BLOCKED}ichalovce.sk

{BLOCKED}f.de

{BLOCKED}i.ru

{BLOCKED}erplakky.nl

{BLOCKED}ools.ng

{BLOCKED}edspica.nl

{BLOCKED}iasafaris.com

{BLOCKED}oodmarketing.com

{BLOCKED}dbrowenvy.com

{BLOCKED}rm.com

{BLOCKED}eacrepes-meaux.fr

{BLOCKED}vor.com

{BLOCKED}withleslie.com

{BLOCKED}alentine.com

{BLOCKED}rensics.com

{BLOCKED}premegarcinia.net

{BLOCKED}rjees.com

{BLOCKED}can.com

{BLOCKED}schiess.de

{BLOCKED}rom.com

{BLOCKED}blanc.gr

{BLOCKED}dineroux.com

{BLOCKED}xbleus.net

{BLOCKED}opsmoking.co.uk

{BLOCKED}scan.de

{BLOCKED}even.be

{BLOCKED}ovka.ru

{BLOCKED}d.com

{BLOCKED}es.com

{BLOCKED}ed-public-adjuster.com

{BLOCKED}ingsnytt.nu

{BLOCKED}tgrafikweb.at

{BLOCKED}breaths.com

{BLOCKED}telyouth.com

{BLOCKED}ie.com

{BLOCKED}ete.com

{BLOCKED}x.co.uk

{BLOCKED}ilding.life

{BLOCKED}oncon.fr

{BLOCKED}saints.academy

{BLOCKED}veloper.com

{BLOCKED}i.com

{BLOCKED}oolabudhabi.ae

{BLOCKED}urheartout.co

{BLOCKED}t.sk

{BLOCKED}rn.co.uk

{BLOCKED}ndustries.com

{BLOCKED}hiro.com

{BLOCKED}k.academy

{BLOCKED}dseen.com

{BLOCKED}ille.se

{BLOCKED}ager.com

{BLOCKED}e.com

{BLOCKED}uchia.com

{BLOCKED}bryan.com

{BLOCKED}upe.com

{BLOCKED}l.it

{BLOCKED}o.academy

{BLOCKED}no.com

{BLOCKED}c.com

{BLOCKED}burger.fr

{BLOCKED}lduniya.com

{BLOCKED}h.fr

{BLOCKED}mputer-sup

{BLOCKED}visual.com

{BLOCKED}ya.net

{BLOCKED}chen.com

{BLOCKED}millionaires.net

{BLOCKED}nnye.ru

{BLOCKED}attalar.com

{BLOCKED}nedesigns.com

{BLOCKED}irossana.it

{BLOCKED}l.tn

{BLOCKED}dy.com

{BLOCKED}etmcshane.com

{BLOCKED}osediazdemera.com

{BLOCKED}almahdi.com

{BLOCKED}nelemenestrel.com

{BLOCKED}ymourphotography.co.uk

{BLOCKED}abasin.com

{BLOCKED}-frets-ceramics.nl

{BLOCKED}ipstudios.com

{BLOCKED}rbnb.wordpress.com

{BLOCKED}logicos.com

{BLOCKED}ruzzaofficial.com

{BLOCKED}eupetel.fr

{BLOCKED}e24.com.ua

{BLOCKED}gulka.ru

{BLOCKED}t.dk

{BLOCKED}opi.com.br

{BLOCKED}inghomes.com

{BLOCKED}olmong.com

{BLOCKED}ub.co.nz

{BLOCKED}lsupportco.com

{BLOCKED}iro.com.ar

{BLOCKED}shealthandwellness.com

{BLOCKED}etgesigte.co.za

{BLOCKED}odelrio.com

{BLOCKED}ongeren.nl

{BLOCKED}bau-hartmann.eu

{BLOCKED}fe.ca

{BLOCKED}lica.academy

{BLOCKED}on.ru

{BLOCKED}ta.com

{BLOCKED}lfiegel.com

{BLOCKED}-s.co.il

{BLOCKED}tschool.org

{BLOCKED}hopping.it

mike.{BLOCKED}es.de

{BLOCKED}odfellow.co.uk

{BLOCKED}uscle.nl

{BLOCKED}elers.com

{BLOCKED}arkescape.com

{BLOCKED}rksomhed.dk

{BLOCKED}o.it

{BLOCKED}k.digital

{BLOCKED}i.ru

{BLOCKED}fil.com

{BLOCKED}ristescu.com

{BLOCKED}e.nl

{BLOCKED}m.pt

{BLOCKED}ccarthydesign.com

{BLOCKED}andscapes.com

{BLOCKED}rrsoccer.com

{BLOCKED}sconsult.com

{BLOCKED}osshideout.com

{BLOCKED}ossplace.co.uk

{BLOCKED}r.nl

{BLOCKED}tz.com

{BLOCKED}c.com

{BLOCKED}p.org

{BLOCKED}r.nl

{BLOCKED}pieces-auto.fr

{BLOCKED}i.pe

{BLOCKED}l.de

{BLOCKED}gmarketinggroup.com

{BLOCKED}eam.com

{BLOCKED}win3.com

{BLOCKED}smali.net

{BLOCKED}t-pismo-gu

{BLOCKED}a.net

{BLOCKED}newsroom.com

{BLOCKED}estaurante.com.br

{BLOCKED}p.ru

{BLOCKED}marine.dk

{BLOCKED}a.co.uk

{BLOCKED}c.ca

{BLOCKED}n.nl

{BLOCKED}amedispa.com

{BLOCKED}i.be

{BLOCKED}pictures.com

{BLOCKED}surecleaning.com

{BLOCKED}ltere.fr

{BLOCKED}ruralhousingstudies.org

{BLOCKED}stop.com

{BLOCKED}gefinancial.com

{BLOCKED}x.com

{BLOCKED}ock.com

{BLOCKED}indeklas.be

{BLOCKED}i.com

{BLOCKED}edia.de

{BLOCKED}a.com.ua

{BLOCKED}la.com

{BLOCKED}ue.com

{BLOCKED}filoxenia.gr

{BLOCKED}s.com

{BLOCKED}ell.com.sg

{BLOCKED}nsigns.com

{BLOCKED}g.org

{BLOCKED}rehospital.dk

{BLOCKED}ademy.com

{BLOCKED}0.dk

{BLOCKED}log.com

{BLOCKED}siness.com

{BLOCKED}loisons.fr

{BLOCKED}arbella.com

{BLOCKED}demy.com

{BLOCKED}ot.com

{BLOCKED}ergyinternational.com

{BLOCKED}marketingsurgery.co.uk

{BLOCKED}tvgroup.com

{BLOCKED}ivadigital.com

{BLOCKED}webdesign.com

{BLOCKED}i.com

{BLOCKED}hubertruiz.com

{BLOCKED}s.com

{BLOCKED}b.net

{BLOCKED}dbrickwork.com

{BLOCKED}o.ae

{BLOCKED}unity.de

{BLOCKED}n.ro

{BLOCKED}karuva.com

{BLOCKED}k.zp.ua

{BLOCKED}ndingminialbums.com

{BLOCKED}ntity.com

{BLOCKED}e.com

{BLOCKED}entraal.nl

{BLOCKED}s.fr

{BLOCKED}a.gr

{BLOCKED}ophilippines.com

{BLOCKED}haus-erfurt.de

{BLOCKED}s.ru

{BLOCKED}natblago.ru

{BLOCKED}apod.com

{BLOCKED}gmlandscape.com

{BLOCKED}sandkids.com

{BLOCKED}chool.ru

{BLOCKED}deseniorliving.net

{BLOCKED}ort.com

{BLOCKED}ociation.com

{BLOCKED}tcleaning.net

{BLOCKED}aint-flour.fr

{BLOCKED}por.org.tr

{BLOCKED}son.com

{BLOCKED}gibadan.co.id

{BLOCKED}uhrambutkeiskei.com

{BLOCKED}greenfarmc

{BLOCKED}tdecor.com

{BLOCKED}tgrin.com

{BLOCKED}ko-group.com

{BLOCKED}xcrane.com

{BLOCKED}raphycreativity.co.uk

{BLOCKED}ag.com

{BLOCKED}nbepthanhdat.com

{BLOCKED}-lang.de

{BLOCKED}r.com

{BLOCKED}reen.com

{BLOCKED}ayvideoawards.com

{BLOCKED}look.com

{BLOCKED}re.co

{BLOCKED}ealth.net

{BLOCKED}monticello.com

{BLOCKED}urance.com

{BLOCKED}for-the-soul.ch

{BLOCKED}nturkiye.com

{BLOCKED}ne.com

{BLOCKED}bretagne.bzh

{BLOCKED}hell.su

{BLOCKED}etemp.com

{BLOCKED}r-iowa.com

{BLOCKED}mweb.com.ua:443

{BLOCKED}e.live

{BLOCKED}arineengineering.com

{BLOCKED}talblue.com

{BLOCKED}tion-stills.co.uk

{BLOCKED}sionetata.com

{BLOCKED}eplo.com

{BLOCKED}ersan.com

{BLOCKED}z.com

{BLOCKED}mer.pl

{BLOCKED}tparkiet.pl

{BLOCKED}eyagro.com.ua

{BLOCKED}s.ca

{BLOCKED}lay.ca

{BLOCKED}n.com

{BLOCKED}ompserver.de

{BLOCKED}ements.nl

{BLOCKED}eprod4.com

{BLOCKED}-reinigen.com

{BLOCKED}mbv.nl

{BLOCKED}l.it

{BLOCKED}usiccenter.com

{BLOCKED}ternational.com

{BLOCKED}ube.net

{BLOCKED}corting.com

{BLOCKED}ach.com

{BLOCKED}etsenblog.nl

{BLOCKED}allgood.com

{BLOCKED}ightmusic.com

{BLOCKED}zprono.com

{BLOCKED}brown.com

{BLOCKED}kloan.org

{BLOCKED}ods.ro

{BLOCKED}warehouse.co.uk

{BLOCKED}-webzine.nl

{BLOCKED}nplicht.be

{BLOCKED}i.co

{BLOCKED}blephotography.com

{BLOCKED}metkinderen.be

{BLOCKED}ntonline.eu

{BLOCKED}e.kz

{BLOCKED}box.ch

{BLOCKED}rtman.nl

{BLOCKED}gwell.com

{BLOCKED}ortsequip.com

{BLOCKED}tion-medical.online

{BLOCKED}up.pt

{BLOCKED}storage.co.uk

{BLOCKED}turf.com

{BLOCKED}div.com

{BLOCKED}dkershawwines.co.za

{BLOCKED}dmaybury.co.uk

{BLOCKED}mattgarage.ch

{BLOCKED}mbh.com

{BLOCKED}angoly.com

{BLOCKED}usic.nl

{BLOCKED}katjaya.com

{BLOCKED}talk.com

{BLOCKED}pollee.com

{BLOCKED}hendriks.nl

{BLOCKED}yn.com

{BLOCKED}attonecase.it

{BLOCKED}a.com

{BLOCKED}mark.dk

{BLOCKED}igns.com

{BLOCKED}4.com

{BLOCKED}diology.com

{BLOCKED}tar.ch

{BLOCKED}e.com

{BLOCKED}oncrete.com

{BLOCKED}xtel.uk

{BLOCKED}nchiuk.com

{BLOCKED}malo-developpement.fr

{BLOCKED}amar.nl

{BLOCKED}low.com

{BLOCKED}toy.store

{BLOCKED}pics.co.uk

{BLOCKED}og.org

{BLOCKED}iznes.com

{BLOCKED}t.ag

{BLOCKED}dlair.com

{BLOCKED}bohrmaschinetests.com

{BLOCKED}sseldienste-hannover.de

{BLOCKED}rquotes.com

{BLOCKED}derschoembs.com

{BLOCKED}-moelln.de

{BLOCKED}ch.academy

{BLOCKED}ndsroute66.co.uk

{BLOCKED}inderpt.com

{BLOCKED}s-clubs.co.uk

{BLOCKED}ed-minds.de

{BLOCKED}ewrightway.com

{BLOCKED}albrightdds.com

{BLOCKED}alemap.com

{BLOCKED}sspices.com

{BLOCKED}ingplanet.com

{BLOCKED}edia.de

{BLOCKED}edenroth.dk

{BLOCKED}ght.com

{BLOCKED}bird.dk

{BLOCKED}itsolutions.ch

{BLOCKED}tonfinancial.com

site.{BLOCKED}t.com.br

{BLOCKED}o.org

{BLOCKED}ping.de

{BLOCKED}eper.li

{BLOCKED}nski.eu

{BLOCKED}rome.eu

{BLOCKED}i.fi

{BLOCKED}ndnutrition.co.uk

{BLOCKED}nner.ro

{BLOCKED}vents.be

{BLOCKED}makerszwijndrecht.nl

{BLOCKED}inner.com

{BLOCKED}rcashsystem.com

{BLOCKED}ind.net

{BLOCKED}peak.com

{BLOCKED}ourism.academy

{BLOCKED}orkplaza.com

{BLOCKED}okna23.ru

{BLOCKED}osting.nl

{BLOCKED}brerie.it

{BLOCKED}onshosting.co.uk

{BLOCKED}i.ch

{BLOCKED}e.fr

{BLOCKED}eeing.net

{BLOCKED}el.be

{BLOCKED}movers.com

{BLOCKED}udible.com

{BLOCKED}ltyhomeservicesllc.com

{BLOCKED}marketingdigital.com.br

{BLOCKED}rei-hannover.de

{BLOCKED}lo.nl

{BLOCKED}ats.com

{BLOCKED}fieldplumbermo.com

{BLOCKED}coach.com

{BLOCKED}e.com

{BLOCKED}isateur.fr

{BLOCKED}xinc.com

{BLOCKED}infirmier.fr

{BLOCKED}yqualitysystems.com

{BLOCKED}plive.org

{BLOCKED}oulis.gr

{BLOCKED}-n-bitch.com

{BLOCKED}idgemontessori.com

{BLOCKED}und-ansichten.de

{BLOCKED}hs-wanderlust.info

{BLOCKED}reliefadvice.com

{BLOCKED}nosis.academy

{BLOCKED}numerik.fr

{BLOCKED}rcy.fr

{BLOCKED}d.com

{BLOCKED}scolony.com.ng

{BLOCKED}artemis.gr

{BLOCKED}utions.es

{BLOCKED}joen.fi

{BLOCKED}arhire.co.uk

{BLOCKED}lberg.de

{BLOCKED}z.fr

{BLOCKED}-made.com

{BLOCKED}regreenapts.com

{BLOCKED}evries.com

{BLOCKED}hers.com

{BLOCKED}geldvergleich.de

{BLOCKED}k.com

{BLOCKED}irginia.com

{BLOCKED}akopieva.ru

{BLOCKED}kartano.fi

{BLOCKED}p.co.uk

{BLOCKED}ia-conseil.fr

{BLOCKED}geln.ch

{BLOCKED}ash.com

{BLOCKED}dos.com

{BLOCKED}nadaydentalimplants.com

{BLOCKED}ebell.website

{BLOCKED}lair.de

{BLOCKED}tonarim.com

{BLOCKED}javertailut.net

{BLOCKED}eleachat.fr

{BLOCKED}ble.pl

{BLOCKED}adio.de

{BLOCKED}can.org

{BLOCKED}eek-diet.net

{BLOCKED}question.com

{BLOCKED}r-lueneburg.de

{BLOCKED}e-embellie.fr

{BLOCKED}auty-guides.com

{BLOCKED}rdroomafrica.com

{BLOCKED}pboard.co.uk

{BLOCKED}awaycollective.com

{BLOCKED}nningmanmusical.com

{BLOCKED}ecounselli

{BLOCKED}ellect.edu.pk

{BLOCKED}pa.com

{BLOCKED}elfairy.com

{BLOCKED}ybusinessacademy.com

{BLOCKED}kroadny.com

{BLOCKED}dio.academy

{BLOCKED}perez.com

{BLOCKED}ettyhair.com

{BLOCKED}echic.com

{BLOCKED}eke.de

{BLOCKED}oinsurers.net

{BLOCKED}esti.net

{BLOCKED}tuition.org

{BLOCKED}ackofthemoon.com

{BLOCKED}oot.co

{BLOCKED}avigator.ch

{BLOCKED}umacademy.com

{BLOCKED}are.com

{BLOCKED}olhealth.com

{BLOCKED}fer.fr

{BLOCKED}vl.ru

{BLOCKED}ete.com

{BLOCKED}ttabordeaux.fr

{BLOCKED}ttagaite.fr

{BLOCKED}lsguide.dk

{BLOCKED}g.academy

{BLOCKED}cks.com

{BLOCKED}kansenloket.nl

{BLOCKED}n.nu

{BLOCKED}ance.fr

{BLOCKED}mag.com

{BLOCKED}telifesource.com

{BLOCKED}herapy.site

{BLOCKED}oredhentaigif.com

{BLOCKED}ored.gr

{BLOCKED}w-narty.pl

{BLOCKED}selle.fr

{BLOCKED}acteur.fr

{BLOCKED}t-voice.com

{BLOCKED}o.fr

{BLOCKED}4.online

{BLOCKED}aard.dk

{BLOCKED}nessa.com

{BLOCKED}wingsdouche.nl

{BLOCKED}victoria.com

{BLOCKED}rental.ae

{BLOCKED}aecoturismo.com.br

{BLOCKED}mcosta.com

{BLOCKED}lhoogeveen.nl

{BLOCKED}biz.com

{BLOCKED}a.plus

{BLOCKED}o.com

{BLOCKED}rray.com

{BLOCKED}owersandrakes.com

{BLOCKED}man.es

{BLOCKED}erland.nl

{BLOCKED}ale.biz

{BLOCKED}5.com

{BLOCKED}sites.com

{BLOCKED}gceremonieswithtim.com

{BLOCKED}customers.fr

{BLOCKED}ugtrolley.net

{BLOCKED}ligenstadt.de

{BLOCKED}ngcrane.com

{BLOCKED}dgo.hu

{BLOCKED}ssenreden.com

{BLOCKED}z.pl

wordpress.{BLOCKED}m.no

{BLOCKED}roskitour.com

{BLOCKED}zil.com

{BLOCKED}itute.org

{BLOCKED}rest.net

{BLOCKED}abehgab4ak0ddz.xn--p1ai

{BLOCKED}addfr4ahr.dp.ua

{BLOCKED}lligafrgpatroner-stb.se

{BLOCKED}inoapte-6ld.ro

{BLOCKED}urces.com

{BLOCKED}fi.com

{BLOCKED}a.ru

{BLOCKED}nprimaunggul.org

{BLOCKED}rysalonsoho.com:443

{BLOCKED}chicken.ca

{BLOCKED}smicbeing.com

{BLOCKED}ppyevents.fr

{BLOCKED}xtshoes.com

{BLOCKED}enghotel.com

{BLOCKED}in-aquarelles.fr

{BLOCKED}ana.com

{BLOCKED}eszczecin.pl

{BLOCKED}n.ae

{BLOCKED}k.com

{BLOCKED}tar.com

{BLOCKED}erderijravensbosch.nl

{BLOCKED}h-umzug.ch

{BLOCKED}kuyutemel.com

{BLOCKED}ficial.nl

{string を介して、収集した情報を以下のURLに送信します。

https://{domain}/{string 1}/{string 2}/{random characters}.{string 3}
- {domain}:
  - {BLOCKED}1.{BLOCKED}n.ua
  1}:
  - wp-content
  - include
  - content
  - uploads
  - static
  - admin
  - data
  - news
- {string 2}:
  - images
  - pictures
  - image
  - temp
  - tmp
  - graphic
  - assets
  - pics
  - game
- {string 3}:
  - jpg
  - png
  - gif

ランサムウェアの不正活動

マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。

File extensions:
- 386
- adv
- ani
- bat
- bin
- cab
- cmd
- com
- cpl
- cur
- deskthemepack
- diagcab
- diagcfg
- diagpkg
- dll
- drv
- exe
- hlp
- hta
- icl
- icns
- ico
- ics
- idx
- key
- ldf
- lnk
- lock
- mod
- mpa
- msc
- msi
- msp
- msstyles
- msu
- nls
- nomedia
- ocx
- prf
- ps1
- rom
- rtp
- scr
- shs
- spl
- sys
- theme
- themepack
- wpx
File name:
- autorun.inf
- boot.ini
- bootfont.bin
- bootsect.bak
- desktop.ini
- iconcache.db
- ntldr
- ntuser.dat
- ntuser.dat.log
- ntuser.ini
- thumbs.db

マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。

$recycle.bin
$windows.~bt
$windows.~ws
boot
google
intel
mozilla
msocache
perflogs
system volume information
tor browser
windows
windows.old

マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

.{random characters}

マルウェアが作成する以下のファイルは、脅迫状です。

{encrypted folder}\{appended ransom extension}-readme.txt

マルウェアは、以下の内容を含む脅迫状のテキストファイルを残します。

対応方法

対応検索エンジン: 9.850

初回 VSAPI パターンバージョン 15.164.03

初回 VSAPI パターンリリース日 2019年6月10日

VSAPI OPR パターンバージョン 15.165.00

VSAPI OPR パターンリリース日 2019年6月11日

手順 1

Windows XP、Windows Vista および Windows 7 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。

手順 2

このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム（OS）の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル／フォルダ／レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。

手順 3

「Ransom.Win32.SODINOKIBI.THGAOAIA」で検出したファイル名を確認し、そのファイルを終了します。

[ 詳細 ]

すべての実行中プロセスが、Windows のタスクマネージャに表示されない場合があります。この場合、"Process Explorer" などのツールを使用しマルウェアのファイルを終了してください。"Process Explorer" については、こちらをご参照下さい。
検出ファイルが、Windows のタスクマネージャまたは "Process Explorer" に表示されるものの、削除できない場合があります。この場合、コンピュータをセーフモードで再起動してください。
セーフモードについては、こちらをご参照下さい。
検出ファイルがタスクマネージャ上で表示されない場合、次の手順にお進みください。

手順 4

以下のファイルを検索し削除します。

[ 詳細 ]

コンポーネントファイルが隠しファイル属性に設定されている場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。

{encrypted folder}\{random characters}.lock
%User Temp%\{random characters}.bmp
{encrypted folder}\{appended ransom extension}-readme.txt

手順 5

このレジストリキーを削除します。

[ 詳細 ]

警告：レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。

HKEY_LOCAL_MACHINE\SOFTWARE\recfg

手順 6

最新のバージョン（エンジン、パターンファイル）を導入したウイルス対策製品を用い、ウイルス検索を実行してください。「Ransom.Win32.SODINOKIBI.THGAOAIA」と検出したファイルはすべて削除してください。検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。

手順 7

デスクトッププロパティを修正します。

[ 詳細 ]

ご利用はいかがでしたか？　アンケートにご協力ください

Ransom.Win32.SODINOKIBI.THGAOAIA

概要

詳細

対応方法

リソース

サポート

会社概要

東京本社

Ransom.Win32.SODINOKIBI.THGAOAIA

概要

詳細

対応方法

リソース

サポート

会社概要

東京本社

The Americas

Asia Pacific

Europe, Middle East & Africa