After the file is encrypted, the key is protected by a combination of Curve25519 elliptic curve + AES-128 and appended to the end of the file.
This reset the default shell back to explorer.exe which I changed back to my startup.bat file. This worked fine for 2 years (without internet access) until the other day I connected it to the internet and it updated to version 1903.
This key splits into Chacha20 encryption key ( 0x20 bytes) and n-once ( 0x08) bytes. To re-access the desktop I would Control-Alt-Delete -> taskmanager -> run new task -> explorer.exe. The ransomware generates an encryption key for each file (0x28 bytes). List of file types avoided by the TargetCompany ransomware List of folders avoided by the TargetCompany ransomware
#Avast explorer startup Pc#
To keep the infected PC working, TargetCompany avoids encrypting certain folders and file types: When this task is complete, the actual encryption begins. First, every drive is populated with the ransom note file (named RECOVERY INFORMATION.txt). If that drive is valid (fixed, removable or network), the encryption of the drive proceeds. Each drive is checked for the drive type by GetDriveType(). List of processes killed by the TargetCompany ransomwareĪfter these preparations, the ransomware gets the mask of all logical drives in the system using the GetLogicalDrives() Win32 API. Kills some processes that may hold open valuable files, such as databases:.%windir%\sysnative\vssadmin.exe delete shadows /all /quietīcdedit /set recoveryenabled no Removes shadow copies on all drives using this command:.Deletes special file execution options for tools like vssadmin.exe, wmic.exe, wbadmin.exe, bcdedit.exe, powershell.exe, diskshadow.exe, net.exe and taskkil.exe.Assigns the SeTakeOwnershipPrivilege and SeDebugPrivilege for its process.When executed, the ransomware does some actions to ease its own malicious work: Modus Operandi of the TargetCompany Ransomware The extension of the encrypted files and the ransom note indicated the TargetCompany ransomware (not related to Target the store), which can be decrypted under certain circumstances. On January 25, 2022, a victim of a ransomware attack reached out to us for help.
0 kommentar(er)
