Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
- MD5 : 83e976a155da5a3094715aa369d3fb3c
- Major Detection Name : DeepScan:Generic.Ransom.Spora.A31C6C6D (BitDefender), Trojan:Win32/Caynamer.A!ml (Microsoft)
- Encrypted File Pattern : .[<Random>].[ustedesfil@safeswiss.com].sojusz
- Payment Instruction File : -----README_WARNING-----.txt
- Major Characteristics :
- Offline Encryption
- Recovery Partition (F:\) and EFI System Partition (G:\) drives are activate.
- Block processes execution (360doctor.exe, Defwatch.exe, fdlauncher.exe, GDscan.exe, java.exe, qbupdate.exe etc.)
- Stop multi services (ccEvtMgr, MsDtsServer100, MSSQL, QBIDPService, vmicshutdown, vss etc.)
- Disable system restore (powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}", vssadmin delete shadows /all /quiet, wmic.exe SHADOWCOPY delete /nointeractive, vssadmin.exe Delete Shadows /All /Quiet, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wbadmin.exe - DELETE CATALOG -quiet, wbadmin.exe DELETE SYSTEMSTATEBACKUP, wbadmin.exe DELETE SYSTEMSTATEBACKUP -deleteoldest )
Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\*.bkf, <Drive Letter>:\*.dsk, <Drive Letter>:\*.set, <Drive Letter>:\*.VHD, <Drive Letter>:\*.wbcat, <Drive Letter>:\*.win, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)