We are aware of a security breach that is believed to be in the form of Ownerd ransomware
. We would like to provide the following information and warning regarding the situation.

Ownerd ransomware

The ransomware is called Ownerd and it appears to be changing all files with the filename.extension.[ownerde@cyberfear.com].ownerd.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• This is a C++-based ransomware. When attacking, it copies the executable file to the Roaming location startup program folder. When checking the drive path to be encrypted, it attacks all drives except the network, creates an image with the name of the private key created in the image in the ProgramData location, and includes it inside the image, then sets it as the desktop image. After the attack is complete, a txt-format note is executed, and after that, whenever Windows is entered, the contents of the note are also displayed in the Windows itself message window.

  
  [Figure 3 Ransomware executable file created in the startup program folder]

  
  [Figure 4 MS official explanation of internal code and corresponding arguments excluding network (shared) paths]

  
  [Figure 5 Dynamic code to change the image and desktop containing the generated private key]

  
  [Figure 6 Message window displayed when entering Windows after infection]

Infection results

A guide file is created in each folder location with the name <#Read-for-recovery.txt>, and each encrypted file is changed to <file name.extension.[ownerde@cyberfear.com].ownerd>.

[Figure 7 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 8 Blocking Message]

Go watch the Ownerd Blocked video