Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Surtr Ransomware (.[DecryptMyData@mailfence.com].SURT)

  • Distribution Method : Unknown
 
  • MD5 : e6fc190168519d6a6c4f1519e9450f0f
 
  • Major Detection Name : Win64/Filecoder.Hansom (ESET), Ransom.Surtr (Malwarebytes)
 
  • Encrypted File Pattern : .[DecryptMyData@mailfence.com].SURT
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt
     - C:\ProgramData\Service
     - C:\ProgramData\Service\BUs.surt
     - C:\ProgramData\Service\ID_DATA.surt
     - C:\ProgramData\Service\Private_DATA.surt
     - C:\ProgramData\Service\Public_DATA.surt
     - C:\ProgramData\Service\reg.surt
     - C:\ProgramData\Service\Service.surt
     - C:\ProgramData\Service\SURTR_README.hta
     - C:\ProgramData\Service\SURTR_README.txt
     - C:\ProgramData\Service\Surtr.exe
     - C:\ProgramData\Service\SurtrIcon.ico
     - C:\Users\%UserName%\AppData\Local\Temp\Service
     - C:\Users\%UserName%\AppData\Local\Temp\Service\ID_DATA.surt
     - C:\Users\%UserName%\AppData\Local\Temp\Service\Private_DATA.surt
     - C:\Users\%UserName%\AppData\Local\Temp\Service\Public_DATA.surt
     - C:\Users\%UserName%\AppData\Local\Temp\Service\Surtr.exe
     - C:\Users\%UserName%\AppData\Local\Temp\Service\SURTR_README.hta
     - C:\Users\%UserName%\AppData\Local\Temp\Service\SURTR_README.txt
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt
     - C:\Windows\System32\Tasks\exp
     - C:\Windows\System32\Tasks\svchos1
     - C:\Windows\System32\Tasks\svchos2
 
  • Payment Instruction File : SURTR_README.hta / SURTR_README.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Turns off User Access Control (UAC)
     - Disable and Blocks Task Manager (DisableTaskMgr)
     - Change encrypted file (.SURT) icon (HKEY_CLASSES_ROOT\.surt)
     - Disable Windows Defender (DisableAntiSpyware)
     - Adds svchos1 and svchos2 to scheduler to execute "C:\ProgramData\Service\Surtr.exe" at user login.
     - Adds exp to scheduler to execute "C:\Windows\explorer.exe" at user login.
     - Stop services execution (Acronis VSS Provider, Enterprise Client Service, Sophos AutoUpdate Service, SQLsafe Backup Service, Symantec System Recovery, Veeam Backup Catalog Data Service etc.)
     - Disable system restore (vssadmin Delete Shadows /all /quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy IgnoreAllFailures, vssadmin resize shadowstorage /for=<Drive Letter>:\ /on=<Drive Letter>:\ /maxsize=401MB, reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f, reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f)
     - Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)
     - Deletes event log (Analytic, Application, DebugChannel, DirectShowFilterGraph, Els_Hyphenation/Analytic, EndpointMapper etc.)
     - Changes desktop background (C:\ProgramData\Service\SurtrBackGround.jpg)

List

위로