Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

  • Distribution Method : Unknown
 
  • MD5 : 86e69065fb7db3c1b360b061ae599f54
 
  • Major Detection Name : HEUR:Trojan-Ransom.Win32.Surtr.gen (Kaspersky), Ransom.Win32.SURTR.SMYXCCCT1 (Trend Micro)
 
  • Encrypted File Pattern : .[Ldedata@mailfence.com].SURT
 
  • Malicious File Creation Location :
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta
     - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt
     - C:\ProgramData\Service
     - C:\ProgramData\Service\BUs.surt
     - C:\ProgramData\Service\ID_DATA.surt
     - C:\ProgramData\Service\Private_DATA.surt
     - C:\ProgramData\Service\Public_DATA.surt
     - C:\ProgramData\Service\reg.surt
     - C:\ProgramData\Service\Service.surt
     - C:\ProgramData\Service\Surtr.exe
     - C:\ProgramData\Service\SURTR_README.hta
     - C:\ProgramData\Service\SURTR_README.txt
     - C:\ProgramData\Service\SurtrIcon.ico
     - C:\Users\%UserName%\AppData\Local\Temp\Service
     - C:\Users\%UserName%\AppData\Local\Temp\Service\ID_DATA.surt
     - C:\Users\%UserName%\AppData\Local\Temp\Service\Private_DATA.surt
     - C:\Users\%UserName%\AppData\Local\Temp\Service\Public_DATA.surt
     - C:\Users\%UserName%\AppData\Local\Temp\Service\SURTR_README.hta
     - C:\Users\%UserName%\AppData\Local\Temp\Service\SURTR_README.txt
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta
     - C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt
     - C:\Windows\System32\Tasks\exp
     - C:\Windows\System32\Tasks\svchos1
     - C:\Windows\System32\Tasks\svchos2
 
  • Payment Instruction File : SURTR_README.hta / SURTR_README.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Turns off User Access Control (UAC)
     - Disable Windows Defender (DisableAntiSpyware)
     - Disable and Blocks Task Manager (DisableTaskMgr)
     - Change encrypted file (.SURT) icon (HKEY_CLASSES_ROOT\.surt)
     - Adds svchos1 and svchos2 to scheduler to execute "C:\ProgramData\Service\Surtr.exe" at user login.
     - Adds exp to scheduler to execute "C:\Windows\explorer.exe" at user login.
     - Stop services execution (Acronis VSS Provider, Enterprise Client Service, Sophos Agent, Sophos AutoUpdate Service, SQLsafe Backup Service, Symantec System Recovery etc.)
     - Disable system restore (vssadmin resize shadowstorage /for=<Drive Letter>:\ /on=<Drive Letter>:\ /maxsize=401MB, vssadmin resize shadowstorage /for=<Drive Letter>:\ /on=<Drive Letter>:\ /maxsize=unbounded, vssadmin Delete Shadows /all /quiet, bcdedit /set {default} recoveryenabled No, bcdedit /set {default} bootstatuspolicy IgnoreAllFailures, reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f, reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f)
     - Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\*.bkf, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)
     - Deletes event log (Analytic, Application, EndpointMapper, HardwareEvents, Internet Explorer, Network Isolation Operational etc.)
     - Changes desktop background (C:\ProgramData\Service\SurtrBackGround.jpg)

List

위로