Defender Ransomware
The Defender Ransomware is a file encryption Trojan that was reported on February 13th, 2018. Malware researchers reported that the Defender Ransomware is delivered to PC users via Zippysahre.com pages that claim to offer game cheats and cracked shareware. Understandably, most of the users who were infected with the Defender Ransomware launched the threat payload with administrative privileges, which is required to install game cheats and crack digital protection of shareware. The Defender Ransomware Trojan is dropped to the Temp directory under:
C:\Users\username\AppData\Temp\Cache\MpCmdRun.exe
Lab tests showed that the Defender Ransomware might use file names that suggest it is nothing more than an instance of Media Player Classic (h[tt]ps://mpc-hc[.]org/) as a way to avoid raising suspicion. The Defender Ransomware does not require significant processing power, and in most cases, infected PC users are unable to notice anything during the encryption process. The Defender Ransomware is programmed to encipher images, music files, downloaded videos, databases, office documents (DOCX, PPTX, XSLX), PDF files and eBook formats. The affected data receives the '.defender' extension and 'To-Do List.docx' is renamed to 'To-Do List.docx.defender.' Additionally, the system recovery feature is rendered useless by erasing the Shadow Volume snapshot records created by Windows. The ransom note is presented as a simple text note titled 'Defender_Ransomware.txt.' Compromised users can find 'Defender_Ransomware.txt' on their desktops and the documents library on Windows 10. The ransom message reads:
'YOUR FILES HAVE BEEN ENCRYPTED BY DEFENDER RANSOMWARE. THE WALL WILL NOT FALL. THIS RANSOMWARE IS NOT DECRYPTABLE. SORRY ABOUT THAT.'
There is no way to decipher the locked data as the decryption key is sent to the servers controlled by the threat creators. The attackers are believed to destroy data on infected devices purposely as they do not offer any medium for contact and make no demands. Hence, the Defender Ransomware is placed in the category of Wipeware (Wiper) - that is a program designed to wipe data or prevent access to data containers without the possibility of unlocking it in the future. You will need backups from unmapped drives and cloud-based services like Dropbox and Google Drive if you want to make a full recovery. AV engines recognize the Defender Ransomware and tag related files as:
- Artemis!5DCC449D51C8
- Ransom_DEFENDER.A
- TR/Ransom.dvwue
- Trojan ( 00526c4c1 )
- Trojan.GenericKD.40108788
- Trojan.Win32.Z.Filecoder.20480
- a variant of MSIL/Filecoder.LX
SpyHunter Detects & Remove Defender Ransomware
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | MpCmdRun.exe | 5dcc449d51c864eeb657c54679eb9d20 | 0 |