A security breach suspected to be Sola ransomware has occurred.
We would like to provide the following information and warning regarding the situation.

Sola ransomware

The ransomware is called Sola and it appears to be changing the filename.extension.sola of all files.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• This is a C++-based ransomware that is re-executed with the argument value “--food” when first executed. It uses an API called SHGetKnownFolderPath to include public paths in other profiles as targets, and then additionally encrypts drives A to Z.

  
  [Figure 3 Internal code re-executed using “--food”]

  
  [Figure 4 Argument values ​​entered into the re-executed process]

  
  [Figure 5 Internal code for searching paths and drives in the profile using API functions]

Infection results

A guide file is created in each folder location with the name <README.txt>, and each encrypted file is changed to <file name.extension.sola>. Since the encryption targets the attack, there is no recovery key-related information written in the ransomware's note.

[Figure 6 Infection results]

White Defender Response

It also supports real-time automatic restoration of files that are encrypted before the malicious actions and blocking of WhiteDefender ransomware.

[Figure 7 Blocking Message]

Go watch the Sola blocking video