Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
  • MD5 : 83e976a155da5a3094715aa369d3fb3c
  • Major Detection Name : DeepScan:Generic.Ransom.Spora.A31C6C6D (BitDefender), Trojan:Win32/Caynamer.A!ml (Microsoft)
  • Encrypted File Pattern : .[<Random>].[].sojusz
  • Payment Instruction File : -----README_WARNING-----.txt
  • Major Characteristics :
     - Offline Encryption
     - Recovery Partition (F:\) and EFI System Partition (G:\) drives are activate.
     - Block processes execution (360doctor.exe, Defwatch.exe, fdlauncher.exe, GDscan.exe, java.exe, qbupdate.exe etc.)
     - Stop multi services (ccEvtMgr, MsDtsServer100, MSSQL, QBIDPService, vmicshutdown, vss etc.)
     - Disable system restore (powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}", vssadmin delete shadows /all /quiet, wmic.exe SHADOWCOPY delete /nointeractive, vssadmin.exe Delete Shadows /All /Quiet, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wbadmin.exe  - DELETE CATALOG -quiet, wbadmin.exe DELETE SYSTEMSTATEBACKUP, wbadmin.exe DELETE SYSTEMSTATEBACKUP -deleteoldest )
    Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\*.bkf, <Drive Letter>:\*.dsk, <Drive Letter>:\*.set, <Drive Letter>:\*.VHD, <Drive Letter>:\*.wbcat, <Drive Letter>:\*.win, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)