Defender can be distributed through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers.
Once installed, the virus runs an executable file MpCmdRun.exe and starts the encryption procedure. In addition to that, it can also:
- Create a resource fork (ADS) file to hide data and prevent detection;
- Modify file/console tracing settings to hide footprints;
- Read the active computer name;
- Modify auto-execute functionality by setting/creating value in the registry;
- Contact random Domain Names;
- Mark files for removal;
- Open files with deletion access rights;
- Remove Shadow Volume Copies, etc.
Defender locks most of the file types on infected computer by appending the .defender file extension to each of them. Defender virus then changes desktop's background to white brick wallpaper impersonating Windows Defender and generates a ransom note, which is downloaded from @zippyshare.
The ransom note by Defender reads this:
YOUR FILES HAVE BEEN ENCRYPTE BY DEFENDER RANSOMWARE. THE WALL WILL NOT fall. THIS RANSOMWARE IS NOT DECRYPTABLE. SORRY ABOUT THAT.