[Virus/malware activity reported: Xollam ransomware]

As a security breach believed to be in the form of Xollam ransomware has occurred,
we would like to confirm the situation and provide a warning as follows.

Xollam ransomware

The ransomware in question is called Xollam and appears to be changing all files with the file name and extension .xollam.

How it works

file version

[Figure 1 Ransomware compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Disabling backup and security-related functions

  It deletes shadow copies to make it difficult to recover files after encryption, and disables the Windows restore function.

  
  [Figure 3 Shadow copy deletion command dynamic information]

  
  [Figure 4 Dynamic information on disabling Windows recovery function]

• Uninstall data-related programs

  Ransomware has the names of specific programs inside, and most of these programs are data-related programs (SQL) and recovery solutions. Terminate the targeted process and delete the service using the CMD command.

  
  [Figure 5 Static string stored in ransomware]

  
  [Figure 6 Service deletion dynamic information and input values]

Infection results

Guide files are in each path.is created, and during the encryption process, the files are changed to <file name.extension.xollam> and the desktop is changed upon completion.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Watch the Xollam blocking video