![]() After the file is encrypted, the key is protected by a combination of Curve25519 elliptic curve + AES-128 and appended to the end of the file. ![]() This key splits into Chacha20 encryption key ( 0x20 bytes) and n-once ( 0x08) bytes. The ransomware generates an encryption key for each file (0x28 bytes). List of file types avoided by the TargetCompany ransomware ![]() List of folders avoided by the TargetCompany ransomware To keep the infected PC working, TargetCompany avoids encrypting certain folders and file types: When this task is complete, the actual encryption begins. First, every drive is populated with the ransom note file (named RECOVERY INFORMATION.txt). If that drive is valid (fixed, removable or network), the encryption of the drive proceeds. Each drive is checked for the drive type by GetDriveType(). List of processes killed by the TargetCompany ransomwareĪfter these preparations, the ransomware gets the mask of all logical drives in the system using the GetLogicalDrives() Win32 API. Kills some processes that may hold open valuable files, such as databases:.%windir%\sysnative\vssadmin.exe delete shadows /all /quietīcdedit /set recoveryenabled no Removes shadow copies on all drives using this command:.Deletes special file execution options for tools like vssadmin.exe, wmic.exe, wbadmin.exe, bcdedit.exe, powershell.exe, diskshadow.exe, net.exe and taskkil.exe.Assigns the SeTakeOwnershipPrivilege and SeDebugPrivilege for its process.When executed, the ransomware does some actions to ease its own malicious work: Modus Operandi of the TargetCompany Ransomware The extension of the encrypted files and the ransom note indicated the TargetCompany ransomware (not related to Target the store), which can be decrypted under certain circumstances. On January 25, 2022, a victim of a ransomware attack reached out to us for help.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |