Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services
  • MD5 : 627e9322ce7de02bf5289dc44af7e4ed
  • Major Detection Name : A variant of Win32/Filecoder.OFO (ESET), W32/Filecoder.OFO!tr.ransom (Fortinet)
  • Encrypted File Pattern : .faratacks
  • Malicious File Creation Location : C:\Users\%UserName%\AppData\Local\<Random>.exe
  • Payment Instruction File : How_to_recovery.txt
  • Major Characteristics :
     - Offline Encryption
     - Fake Globe / PSCrypt Ransomware series
     - Recovery Partition (A:\) + EFI System Partition (B:\) drives are activate.
     - Disable system restore (vssadmin.exe Delete Shadows /All /Quiet)
     - Initializing the Terminal Server Client Registry (reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f, reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f, reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers")