Ransom.Win64.AKIRA.AMSL

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Este malware no tiene ninguna rutina de propagación.

Este malware no tiene ninguna rutina de puerta trasera.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega los procesos siguientes:

• powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

Propagación

Este malware no tiene ninguna rutina de propagación.

Rutina de puerta trasera

Este malware no tiene ninguna rutina de puerta trasera.

Robo de información

Acepta los siguientes parámetros:

• -p → Encryption Path used to only encrypt files in the given path
• -s → Path to file containing list of shares to include in the encryption
• -n → Encryption percentage on how much content of the files needs to be encrypted
• -l → Shows the available drives to encrypt

Otros detalles

Hace lo siguiente:

• It uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption.