Carlos Ransomware (.[<Random>].[icq-is-firefox20@ctemplar.com].mkp) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Unknown

MD5 : 353e892fd1c46213cc80334d33263f7d

Major Detection Name : Ransom:Win32/Phobos.PB!MTB (Microsoft), Ransom.Win32.MAKOP.SMYXCBKT (Trend Micro)

Encrypted File Pattern : .[<Random>].[icq-is-firefox20@ctemplar.com].mkp

Malicious File Creation Location :
- <Drive Letter>:\YOUR_FILES_ARE_ENCRYPTED
- <Drive Letter>:\YOUR_FILES_ARE_ENCRYPTED\+README-WARNING+.txt

Payment Instruction File : +README-WARNING+.txt

Major Characteristics :
- Offline Encryption
- Block processes execution (dbeng50.exe, FTPWREVT.exe, mysqld.exe, ocssd.exe, onenote.exe, sqlceip.exe etc.)
- Disable system restore (vssadmin delete shadows /all /quiet, wbadmin delete catalog -quiet, wmic shadowcopy delete)
- Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\<Random>.tmp.bmp)