Carlos Ransomware (.[<Random>].[hopeandhonest@smime.ninja].mkp) - Videos - CheckMAL

Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Distribution Method : Remote access through Remote Desktop Protocol(RDP) or Terminal Services

MD5 : 65b228bf3272e41025480c9780f7cdd3

Major Detection Name : Ransom:Win32/Phobos.PB!MTB (Microsoft), Ransom.Makop!g1 (Symantec)

Encrypted File Pattern : .[<Random>].[hopeandhonest@smime.ninja].mkp

Malicious File Creation Location :
- <Drive Letter>:\YOUR_FILES_ARE_ENCRYPTED
- <Drive Letter>:\YOUR_FILES_ARE_ENCRYPTED\+README-WARNING+.txt

Payment Instruction File : +README-WARNING+.txt

Major Characteristics :
- Offline Encryption
- Block processes execution (avpsus.exe, encsvc.exe, excel.exe, oracle.exe, outlook.exe, visio.exe etc.)
- Disable system restore (vssadmin delete shadows /all /quiet, wbadmin delete catalog -quiet, wmic shadowcopy delete)
- Changes desktop background (C:\Users\%UserName%\AppData\Local\Temp\<Random>.tmp.bmp)