�� esetnod32.ru [��: �� .Loki; .Blackbit]

�� .Loki; .Blackbit

Tue, 25 Jul 2023 03:31:41 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .

====quote====
�� :
https://forum.esetnod32.ru/messages/forum35/topic16685/message115049/#message115049
��,
�� Locked by Loki ?
�� ...
=============

�� ,
� ��, �� Loki
25.07.2023 03:31:41, santy.

�� .Loki; .Blackbit

Sat, 22 Jul 2023 05:37:53 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
https://forum.esetnod32.ru/messages/forum35/topic16685/message115049/#message115049
��,
�� Locked by Loki ?
�� ...
22.07.2023 05:37:53, �� .

�� .Loki; .Blackbit

Thu, 13 Apr 2023 10:30:29 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .

====quote====
�� :
�� ? �� ?
=============
Microsoft �� , �� LSASS.

��: https://www.securitylab.ru/news/529845.php
�� - �� .
13.04.2023 10:30:29, santy.

�� .Loki; .Blackbit

Thu, 13 Apr 2023 10:25:11 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .

====quote====
�� :
� �� -
�� Eset File security 7.3 �� 8,0 ?
=============
8 ��
https://download.eset.com/com/eset/apps/business/efs/windows/v8/latest/efsw_nt64.msi
7 ��
https://download.eset.com/com/eset/apps/business/efs/windows/v7/latest/efsw_nt64.msi
13.04.2023 10:25:11, santy.

�� .Loki; .Blackbit

Thu, 13 Apr 2023 10:11:01 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
� �� -
�� Eset File security 7.3 �� 8,0 ?
13.04.2023 10:11:01, �� .

�� .Loki; .Blackbit

Thu, 13 Apr 2023 10:04:18 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� ? �� ?
13.04.2023 10:04:18, �� .

�� .Loki; .Blackbit

Mon, 10 Apr 2023 09:36:33 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
Restore-My-Files.txt �� . � �� ID, �� , �� .

>>>�� , �� .
��, �� , � �� .
--------
��, � 2003 �� .

Version Original Release Date Latest Build Latest Build Release Date Current Status Full Support Limited Support

====quote====
6.5 February 28, 2017 6.5.12018.0 February 19, 2020 End of Life Ended Ended (December 31, 2022)
=============

[FILE ID=126477]
https://support-eol.eset.com/en/policy_business/product_tables.html

10.04.2023 09:36:33, santy.

�� .Loki; .Blackbit

Mon, 10 Apr 2023 09:29:52 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� , �� .
�� 2023�, �� ESET �� Eset File Security 6.5.
�� -�� (x86).

��, �� Restore-My-Files.txt �� eset-�� .
�� , �� ?
10.04.2023 09:29:52, �� .

�� .Loki; .Blackbit

Mon, 10 Apr 2023 09:00:58 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .

====quote====
�� :
�� rules - �� keenetic , �� ESET FILE SECURITY �� .RDP ( �� 3389) �� 2003, �� (�� DC).
=============
�� RDP �� , �.�. �� . �� .
��, ��

�� :

====quote====
06.04.2023 6:39:59 Real-time file system protection file C:\Documents and Settings\��\�� \��\Restore-My-Files.txt Win32/Filecoder.Phobos trojan deleted TCOM\�� Event occurred during an attempt to access the file by the application: C:\WINDOWS\explorer.exe (AA4213344DD3C4B0EBF1E699423CFE6D384B87D3). B470A8935FD24B99972D6490E836BA6C12557300 05.04.2023 23:06:35
06.04.2023 4:13:28 Advanced memory scanner file Operating memory � svchost.exe(2260) MSIL/TrojanDownloader.Agent.NZD trojan unable to clean 9A7040A5C25B3BBFB552A348869D173B9095491B
06.04.2023 4:13:28 Advanced memory scanner file Operating memory � svchost.exe(2260) a variant of MSIL/Filecoder.LokiLocker.D trojan unable to clean 45CCB668DAB4D79E373D2E65F0EE4E5D210F126B
05.04.2023 16:06:37 Advanced memory scanner file Operating memory � svchost.exe(2260) MSIL/TrojanDownloader.Agent.NZD trojan unable to clean 9A7040A5C25B3BBFB552A348869D173B9095491B
05.04.2023 16:06:37 Advanced memory scanner file Operating memory � svchost.exe(2260) a variant of MSIL/Filecoder.LokiLocker.D trojan unable to clean 45CCB668DAB4D79E373D2E65F0EE4E5D210F126B
05.04.2023 16:04:41 Advanced memory scanner file Operating memory � svchost.exe(2260) MSIL/TrojanDownloader.Agent.NZD trojan unable to clean 9A7040A5C25B3BBFB552A348869D173B9095491B
05.04.2023 16:04:38 Advanced memory scanner file Operating memory � svchost.exe(2260) a variant of MSIL/Filecoder.LokiLocker.D trojan unable to clean 45CCB668DAB4D79E373D2E65F0EE4E5D210F126B

=============
�� , �� .

06.04.2023 11:13:31 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
06.04.2023 9:13:30 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
06.04.2023 7:13:31 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
06.04.2023 5:13:09 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
05.04.2023 5:13:09 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
05.04.2023 3:13:09 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
05.04.2023 1:13:09 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
04.04.2023 23:13:08 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
04.04.2023 21:13:11 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
04.04.2023 19:13:09 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
04.04.2023 17:13:09 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM

� ��
07.03.2023 17:14:18 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
07.03.2023 15:14:14 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
07.03.2023 13:14:17 Update Update authorization failed. Please check if your license is valid. NT AUTHORITY\SYSTEM
------------
�� (� AMS), �� , �� , �� MSIL/Filecoder.LokiLocker.D trojan
10.04.2023 09:00:58, santy.

�� .Loki; .Blackbit

Mon, 10 Apr 2023 06:13:35 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� rules - �� keenetic , �� ESET FILE SECURITY �� .
RDP ( �� 3389) �� 2003, �� (�� DC).
�� 2012 (AD, �� GC),
��. �� . �� 2012 �� .
10.04.2023 06:13:35, �� .

�� .Loki; .Blackbit

Mon, 10 Apr 2023 00:59:14 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� rules - �� ? � �� ESET FILE SECURITY?
�� rdp - �� rules, �� RDP (�� 3389)
�� :
�� +Cpriv.Loki+Restore-My-Files.txt
�� : �� 2003 - �� ? � �� ?
�� winlogon.exe �� , �� .
10.04.2023 00:59:14, santy.

�� .Loki; .Blackbit

Sun, 09 Apr 2023 08:38:35 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� .
�� .�� safety@ - �� RDP, �.�. �� ,
� �� , �� .
- ��, �� .

�� -
1. �� rdp
�� - �� rules.txt
�� ?
�� . �� ?
�� -�� ?
2. �� -
�� *.loki + �� cpriv.loki ,
�� ?
3. �� windows -
� �� , �� ,
�� winlogon � ��. , �� ?
�� eset �� ?
rules.txt
09.04.2023 08:38:35, �� .

�� .Loki; .Blackbit

Sat, 08 Apr 2023 00:59:09 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� :
https://www.virustotal.com/gui/file/b8ffd72534056ea89bfd48cbe6efb0b4d627a6284a7b763fdb7dfd070c1049ba/detection

� ��, �� LokiLocker �� . �� ,
�� .

�� ESVC �� , � �� PKY �� , �.�. � �� .

�� SMBv1. �� , �� SMBv1� �� :
https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3#how-to-remove-smbv1

�� ESET Server Security �� Microsoft Windows Server �� 8.0 (https://www.eset.com/int/business/download/file-security-windows/).

�� , ��, �� (�� ) ��.
�� , �� secpol.msc � � �� -> �� -> �� .

�� :
- ��
- �� RDP ��: �� RDP �� VPN �� , �� 2FA, �� , �� RDP �� , ��
- �� RDP
- �� ESET � �� (��. https://support.eset.com/kb6783/)
- �� ESET LiveGrid Feedback
- �� (��. https://support.eset.com/kb6795/)
08.04.2023 00:59:09, santy.

�� .Loki; .Blackbit

Fri, 07 Apr 2023 13:52:18 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� winlogon.7z
+ ��

Esvc �� -64x (win 2012), �� x86 �� (�� ).
winlogon � �� x86 (win 2003 R2)
ESVC_PKY_20230407162638.zip
07.04.2023 13:52:18, �� .

�� .Loki; .Blackbit

Fri, 07 Apr 2023 06:11:15 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .

====quote====
�� :
�� filecoder �� safety@chklst.ru ,

+ ��
=============
�� - �� FileCoder.LokiLocker (�� Phobos, ��, �� ):
E7A44AD48CBE884AFC4DAFB917F5445C9994F29C.NDF "C:\svchost.exe";"C:\Documents and Settings\All Users\Application Data\winlogon.exe";"C:\Documents and Settings\All Users\�� \��\��\winlogon.exe";"C:\Documents and Settings\��\Application Data\winlogon.exe";"C:\Documents and Settings\��\�� \��\��\winlogon.exe" "@NAME=MSIL/Filecoder.LokiLocker.D@TYPE=Trojan@SUSP=mod" 06.04.2023 532480 bytes

��, ��, �� (�� winlogon.exe) �� , � ��, � �� infected � �� safety@chklst.ru
(�� filecoder, �� )
+
�� ESETSysVilnCheck �� .
07.04.2023 06:11:15, santy.

�� .Loki; .Blackbit

Fri, 07 Apr 2023 05:25:51 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
+��. ��
crypted.rar
07.04.2023 05:25:51, �� .

�� .Loki; .Blackbit

Fri, 07 Apr 2023 05:22:42 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� filecoder �� safety@chklst.ru ,

+ ��
efsw_logs.zip
07.04.2023 05:22:42, �� .

�� .Loki; .Blackbit

Fri, 07 Apr 2023 02:33:41 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
��, ��, �� +�� .
�� Filecoder � �� infected, �� safety@chklst.ru

��, ��, �� : (�� )
1. ��
https://forum.esetnod32.ru/forum9/topic2687/
2. �� FRST
https://forum.esetnod32.ru/forum9/topic2798/
3. �� ESETLogCollector
�� :
�� - v4.3.0.0 (14.07.2021)
https://download.eset.com/com/eset/tools/diagnosis/log_collector/latest/esetlogcol�lector.exe

�� . �� ESET Log Collector �� (�� "�� ").

� �� "�� ESET" �� "�� " � �� . �� , �� , �� , �� "ess_logs.zip". �� , �� "...". �� .

4.SysvulnCheck
"SysVulnCheck_out.zip" (��, �� ESETSysVulbCheck)

�� ESETSysVulnCheck[/B] �� (�� IE)
https://ftp.eset.sk/samples/svchecker/ESETSysVulnCheck.exe

� �� . �� , �� , �� - �� "SysVulnCheck_out.zip". �� .
07.04.2023 02:33:41, santy.

�� .Loki; .Blackbit

Thu, 06 Apr 2023 20:33:18 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
��.
�� .
�� ESET File Security, �� , �� Filecoder.Phobos.
�� *.loki .
�� unlockloki@onionmail.org
06.04.2023 20:33:18, �� .

�� .Loki; .Blackbit

Thu, 01 Dec 2022 09:42:07 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� :
�� 23.11 ��
Restore-My-Files.txt
��, �� :
sep=,
Datetime,Source,Event description
22.11.2022 11:22:50.370,Security Logs,"""User"" logged in via RDP. (W: USER-��, IP: 192.168.10.104, P: User32)"
�� :
sep=,
Datetime,Source,Event description
23.11.2022 12:20:20.728,Security Logs,"""User"" logged in via RDP. (W: USER-��, IP: fe80::e91c:8c7d:e4ff:10c5, P: User32)"
------------------
�� :

�� Windows 7 ��. �� .

�� (UAC).

�� SMBv1. �� , �� SMBv1� �� :
https://docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3#how-to-remove-smbv1

�� ESET �� .

�� , ��, �� (�� ) ��.
�� , �� secpol.msc � � �� -> �� -> �� .

�� :
- MS16-032 (https://technet.microsoft.com/en-us/library/security/MS16-032)
- CVE-2019-1181, CVE-2019-1182, �� DejaBlue� (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181)
- CVE-2021-34527, �� PrintNightmare� (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527)

�� . �� :

Users (C:\Users)
- �� (C:\Users\User\Desktop\��)

====quote====
�� :
- ��
- �� RDP ��: �� RDP �� VPN �� , �� 2FA, �� , �� RDP �� , ��
- �� RDP
- �� ESET � �� (��. https://support.eset.com/kb6783/)
- �� ESET LiveGrid Feedback
- �� (��. https://support.eset.com/kb6795/)
=============

01.12.2022 09:42:07, santy.

�� .Loki; .Blackbit

Thu, 01 Dec 2022 09:33:13 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� :
sep=,
Datetime,Service name,Type,File name,Start type,Account
28.11.2022 13:19:43,Kaspersky Small Office Security Service 21.7,�� ,"C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 21.7\avp.exe"" -",��,LocalSystem

�� ? �� ?
� �� , �� .
[FILE ID=124536]

01.12.2022 09:33:13, santy.

�� .Loki; .Blackbit

Thu, 01 Dec 2022 09:25:24 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
� �� .

�� , ��, ��, �� uVS �� .

�� uVS:
- �� ;
- �� uVS(start.exe), �� : �� , �� - �� - �� ;
- �� ;
====code====


;uVS v4.12.3 [http://dsrt.dyndns.org:8888]
;Target OS: NTv6.1
v400c
OFFSGNSAVE
zoo %SystemDrive%\PROGRAMDATA\WINLOGON.EXE
zoo %SystemDrive%\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WINLOGON.EXE
zoo %Sys32%\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\WINLOGON.EXE
zoo %SystemDrive%\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WINLOGON.EXE
zoo %SystemRoot%\WINLOGON.EXE
zoo %SystemDrive%\USERS\USER\APPDATA\ROAMING\WINLOGON.EXE
;---------command-block---------
delall %SystemDrive%\PROGRAMDATA\WINLOGON.EXE
delall %SystemDrive%\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WINLOGON.EXE
delall %Sys32%\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\WINLOGON.EXE
delall %SystemDrive%\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WINLOGON.EXE
delall %SystemDrive%\USERS\USER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\WVTYMCOW.BAT
delall %SystemRoot%\WINLOGON.EXE
delall %SystemDrive%\USERS\USER\APPDATA\ROAMING\WINLOGON.EXE
delref {FD387882-7305-4231-86E1-35B1FAE33425}\[TASK]
delall %SystemRoot%\WINLOGON.EXE
regt 1
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DCNCGOHEPIHCEKKLOKHBHIBLHFCMIPBDH%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DGEHNGEIFMELPHPLLNCOBKMIMPHFKCKNE%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DLGDNILODCPLJOMELBBNPGDOGDBMCLBNI%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTP://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DPBEFKDCNDNGODFEIGFDGIODGNMBGCFHA%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DAJFLEPEGNONONCFMOIKDNEPHFLELDNBH%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DCCFIFBOJENKENPKMNBNNDEADPFDIFFOF%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DEFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DFAHHEAKDHOEOIGMAFEJKEHDOEIKPGDFP%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DIAKDDMMLEDECLCODPBGEBFKHEGAADDGE%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DODIJCGAFKHPOBJLNFDGIACPDENPMBGME%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DOELPKEPJLGMEHAJEHFEICFBJDIOBDKFJ%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DOJLCEBDKBPJDPILIGKDBBKDKFJMCHBFD%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DPHKDCINMMLJBLPNKOHLIPAIODLONPINF%26INSTALLSOURCE%3DONDEMAND%26UC
delref HTTPS://CLIENTS2.GOOGLE.COM/SERVICE/UPDATE2/CRX?RESPONSE=REDIRECT&PRODVERSION=38.0&X=ID%3DPMPOAAHLECCAIBBHFJFIMIGEPMFMMBBK%26INSTALLSOURCE%3DONDEMAND%26UC
apply
CZOO

QUIT

=============
�� , �� .
�� uVS (�� : ZOO_��-��-��_��-��-��.rar/7z) �� safety@chklst.ru
------------
01.12.2022 09:25:24, santy.

�� .Loki; .Blackbit

Wed, 30 Nov 2022 09:18:45 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
ELC_logs - �� esetlogcollector
ESVC_USER-��_20221128132436 - �� ESETSysVulnCheck
USER-��_2022-11-28_14-54-12_v4.12.3 - ��

�� . �� . ��, �� -�� .
��:
"�� , �� . �� " (�� , �� )
ESVC_USER-��_20221128132436.zip
USER-��_2022-11-28_14-54-12_v4.12.3.7z
ELC_logs.zip
30.11.2022 09:18:45, �� .

�� .Loki; .Blackbit

Mon, 28 Nov 2022 14:44:58 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
�� ESET Log Collector �� :
https://download.eset.com/com/eset/tools/diagnosis/log_collector/latest/esetlogcol�lector.exe

�� ELC ��, �� :
�� . �� ESET Log Collector �� (�� "�� ").

� �� "�� ESET" �� "�� " � �� . �� , �� , �� , �� "ess_logs.zip". �� , �� "...". �� . �� 20��, �� , � �� .

"SysVulnCheck_out.zip" (��, �� ESETSysVulbCheck)

�� ESETSysVulnCheck[/B] �� (�� IE)
https://ftp.eset.sk/samples/svchecker/ESETSysVulnCheck.exe

� �� . �� , �� , �� - �� "SysVulnCheck_out.zip". �� .
28.11.2022 14:44:58, santy.

�� .Loki; .Blackbit

Mon, 28 Nov 2022 12:33:18 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
��, �� , �� , �� , �� . (�� , �� ...)

�� Locked by Loki
�� , �� *.Loki
�� , �� "�� ."
�� , � �� , � �� .
��
��-�� .

�� 4 �� (�� : 1):

�� (�� 1).zip

� �� , ��

�� (�� ).zip

� ��

�� (�� ).zip

� �� , �� (� �� , �� )

�� (info.hta) ).zip

� �� windows/system32 � ��

�� Cpriv.Loki � Restore-My-Files ��

�� ��  � ��

�� -�� ?
�� (info.hta).rar

�� (�� 1).zip
�� (�� ).zip
�� (�� ).zip
28.11.2022 12:33:18, �� .

�� .Loki; .Blackbit

Thu, 13 Jan 2022 16:43:26 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .

====quote====
�� :
��.

�� . �� , �� , �� .

=============

�� .

�� , �� .

====quote====
��

sample_extension: [][].Loki
ransomnote_email: d4rkw4ve@tutanota.com
=============

https://id-ransomware.malwarehunterteam.com/identify.php?case=a041630780a8095a1119d7bb67c47f614ea306bd

----------------------------

�� , �� liveUSB � ��
�� , ��
https://forum.esetnod32.ru/forum27/topic2102/

�� ESET, �� :
1. �� + �� ( �� ) �� Crypted
2. �� +�� Filecoder � �� infected

3. �� EsetLogCollector
�� ESET Log Collector �� :

https://download.eset.com/com/eset/tools/diagnosis/log_collector/latest/esetlogcollector.exe

4. �� SysVulnCheck
4. �� http://ftp.eset.sk/samples/svchecker/ESETSysVulnCheck.exe.
--------
�� support@esetnod32.ru

�� ��
13.01.2022 16:43:26, santy.

�� .Loki; .Blackbit

Thu, 13 Jan 2022 14:36:03 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
��. �� . �� .
13.01.2022 14:36:03, �� .

�� .Loki; .Blackbit

Thu, 13 Jan 2022 13:14:17 +0300

�� *.Loki; *.Blackbit Loki.Locker � �� .
��.

�� . �� , �� , �� .
��, ��!!!
�� : �� . �� USB. �� . �� - ��. � �� .
�� -�� - �� .
Restore-My-Files.txt
�� - ��.rar
13.01.2022 13:14:17, �� .

����� esetnod32.ru [����: ����� ����������� � ����������� *.Loki; *.Blackbit]

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

����� ����������� � ����������� *.Loki; *.Blackbit

�� esetnod32.ru [��: �� .Loki; .Blackbit]

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit

�� .Loki; .Blackbit