FANDOM


Defender is a ransomware that runs on Microsoft Windows.

Payload

Transmission

Defender can be distributed through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers.

Infection

Once installed, the virus runs an executable file MpCmdRun.exe and starts the encryption procedure. In addition to that, it can also:

  • Create a resource fork (ADS) file to hide data and prevent detection;
  • Modify file/console tracing settings to hide footprints;
  • Read the active computer name;
  • Modify auto-execute functionality by setting/creating value in the registry;
  • Contact random Domain Names;
  • Mark files for removal;
  • Open files with deletion access rights;
  • Remove Shadow Volume Copies, etc.

Defender locks most of the file types on infected computer by appending the .defender file extension to each of them. Defender virus then changes desktop's background to white brick wallpaper impersonating Windows Defender and generates a ransom note, which is downloaded from @zippyshare.

The ransom note by Defender reads this:

YOUR FILES HAVE BEEN ENCRYPTE BY DEFENDER RANSOMWARE. THE WALL WILL NOT 
fall. THIS RANSOMWARE IS NOT DECRYPTABLE. SORRY ABOUT THAT.
Community content is available under CC-BY-SA unless otherwise noted.