[Virus/malware activity reported: Payola ransomware]

Due to a breach believed to be in the form of Payola ransomware,
we would like to confirm the situation and provide a warning as follows.

Payola Ransomware

The ransomware in question is called Payola and appears to be changing all files by file name, extension, and individual random 5 digits.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Data-related process attacks

  It was created based on .NET (C#), and the executed ransomware is registered in the startup program. It creates a desktop image with a random name in Temp and forces the data management program (ex SQL) and dynamic debugging program to be terminated.

  
  [Figure 3: Static code for ransomware registration in startup program and values ​​registered after execution]

  
  [Figure 4 Desktop image created in Temp folder]

  
  [Figure 5 Static code for list of processes subject to forced termination]

  
  [Figure 6 Folders excluded when searching driver path]

  
  [Figure 7 Extensions excluded when searching files]

  
  [Figure 8 List of extensions of files designated as basic attack targets]

Infection results

A file with the name Readme.html will be created on the desktop and in each folder. When encrypting, files are changed to <file name.extension.individual random 5 digits>.

[Figure 4 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 5 Block message]

Watch Payola blocking video