As a security breach presumed to be Surtr ransomware has occurred,
we would like to confirm the situation and provide a warning as follows.

Surtr ransomware

The ransomware in question is called Surtr and is . It appears that all files are being changed with the extension [JohnD3crypt@gmail.com].SURT.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Stop security module service/delete backup

  Stop the services of some security programs and delete backup copies.

  
  [Stop module service in Figure 3 / Delete backup]

• Deleting shadow copies

  Delete shadow copies to prevent restoration of encrypted files

  
  [Figure 4 Deleting shadow copies]

• Disable Windows recovery function

  Disable the Windows recovery function to make recovery difficult for users.

  
  [Figure 5 Disabling Windows recovery function]

Infection results

Guide files are created under the names SURTR_README.txt / SURTR_README.hta in each folder, and when encryption is performed, the files are changed to < [JohnD3crypt@gmail.com].SURT>.

[Figure 6 Infection result 1]

[Figure 7 Infection result 2]

[Figure 8 Infection result 3]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 9 Block message]

[Figure 10 Block message]

[Figure 11 Blocking details]

Watch Surtr blocking video