Carlos Ransomware (.[<Random>].[honestandhope@qq.com].makop) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services

MD5 : 26c0fd287f6db0b8ee2b71aaf8cd62d3

Major Detection Name : TR/AD.PhobosRansom.yzerf (Avira), Trojan:Win32/Vigorf.A (Microsoft)

Encrypted File Pattern : .[<Random>].[honestandhope@qq.com].makop

Malicious File Creation Location :
- <Drive Letter>:\YOUR_FILES_ARE_ENCRYPTED
- <Drive Letter>:\YOUR_FILES_ARE_ENCRYPTED\readme-warning.txt

Payment Instruction File : readme-warning.txt

Major Characteristics :
- Offline Encryption
- Use a 1b337401jT42bda7iWbat0 Digital Signatures
- Block processes execution (agntsrvc.exe, mysqld-opt.exe, outlook.exe, steam.exe, thebat.exe, xfssvccon.exe etc.)
- Disable system restore (vssadmin delete shadows /all /quiet, wbadmin delete catalog -quiet, wmic shadowcopy delete)