Carlos Ransomware (.[<Random>].[recuper@smime.ninja].nigra) - Videos

Distribution Method : Access using Remote Desktop Protocol (RDP) or a remote program.

Major Characteristics :
- Offline Encryption
- Recovery Partition (F:\) + EFI System Partition (G:\) drives are activate.
- Block processes execution (360doctor.exe, Culture.exe, fdhost.exe, java.exe, sqlservr.exe, WINWORD.exe etc.)
- Stop VSS service
- Change multi services settings (sc config VSS start= disabled)
- Disable system restore (wmic.exe SHADOWCOPY delete /nointeractive, vssadmin.exe Delete Shadows /All /Quiet, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin.exe Resize ShadowStorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded, bcdedit.exe /set {default} recoveryenabled No, bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures, wbadmin.exe DELETE CATALOG -quiet, wbadmin.exe DELETE SYSTEMSTATEBACKUP, wbadmin.exe DELETE SYSTEMSTATEBACKUP -deleteoldest, powershell -command "Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}")
- Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\*.bkf, <Drive Letter>:\*.dsk, <Drive Letter>:\*.set, <Drive Letter>:\*.VHD, <Drive Letter>:\*.wbcat, <Drive Letter>:\*.win, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)
- Empty the trash.