Ransom.Win32.MOUNTLOCKER.A
HEUR:Trojan-Ransom.Win32.Encoder.gen (KASPERSKY); W32/Kryptik.HGEX!tr (FORTINET)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It encrypts files with specific file extensions. It drops files as ransom note.
TECHNICAL DETAILS
190,464 bytes
DLL
Yes
18 Sep 2020
Drops files, Displays message/message boxes, Terminates processes
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops the following files:
- %User Temp%\{8 Characters}.bat
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following processes:
- %System%\vssadmin.exe delete shadows /all /Quiet
- cmd/c %User Temp%\{8 Characters}.bat "" → Hide and Delete files in {Malware Folder}
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- {32 Hex Characters generated from Volume Serial ID}
Other System Modifications
This Ransomware adds the following registry entries:
HKEY_CURRENT_USER\Software\Classes\
.{Generated ID}\shell\Open\
command
(Default) = explorer.exe RecoveryManual.html
Process Termination
This Ransomware terminates the following processes if found running in the affected system's memory:
- agntsvc
- bengine
- benetns
- beremote
- beserver
- dbeng50
- dbsnmp
- dfssvc
- dfsrs
- EduLink2SIMS
- encsvc
- excel
- fdhost
- firefox
- infopath
- isqlplussvc
- msaccess
- mspub
- mydesktopservice
- mydesktopqos
- mysql
- ocautoupds
- ocomm
- ocssd
- onenote
- oracle
- outlook
- OWSTIMER
- postgres
- powerpnt
- pvlsvr
- SAVAdminService
- SavService
- sqbcoreservice
- sophos
- steam
- swc_service
- synctime
- tbirdconfig
- thebat
- thunderbird
- veeam
- visio
- VxLockdownServer
- winword
- wordpad
- wsstracing
- WSSADMIN
- xfssvccon
Other Details
This Ransomware does the following:
- Accepts the following arguments:
- /log:{C|F}
- F - Create a log file
- C - Shows the following console window
- /scan:{l|L,n|N,s|S}
- l|L - encrypts only Local Drives
- n|N - encrypts only Network Drives
- s|S - encrypts only Network Shares
- /marker:{Filename}
- Drops a file in the infected drive that serves as an infection marker
- Filename cannot have the following characters {., -, _}
- /nodel
- Does not drop the bat file and hide and delete the files in {Malware Folder}
- /log:{C|F}
- It modifies the registry so that opening an encrypted file opens the ransom note.
Ransomware Routine
This Ransomware encrypts files with the following extensions:
000 001 1 101 103 108 110 123 128 1cd 1sp 1st 3 3d 3d4 3dd 3df 3df8 3dm 3dr 3ds 3dxml 3fr 3g2 3ga 3gp 3gp2 3mm 3pr 3w 4w7 602 7z 7zip 8 89t 89y 8ba 8bc 8be 8bf 8bi8 8bl 8bs 8bx 8by 8li 8svx 8xt 9xt 9xy dct d d3dbsp dac dadx dag dal dap darkness das dash dat database datx dayzprofile dazip db db-journal db0 db3 db_journal dba dbb dbc dbf dbfv dbk dbr dbs dbx dc2 dc4 dca dcd dcf dch dco dcp dcr dcs dct5 dcu ddc ddcx ddd ddif ddoc ddrw dds deb debian dec ded default del dem der des desc description design desklink det deu dev dex dfe dfl dfm dft dfti dgc dgm dgn dgpd dgr dgrh dgs dhe dic did dif dii dim dime dip dir directory disc disco disk dit divx diz djbz djv djvu dk@p dlc dlg dmbk dmg dmp dmtemplate dmv dna dng dnl dob doc doc# docb doce docenx dochtml docl docm docmhtml docs docset docstates doct documentrevisions-v100 docx docxl docxml dok dot dothtml dotm dotmenx dotx dotxenx dox doxy doz dp dpd dpi dpk dpl dpr drd dream drf drm drmx drmz drw dsc dsd dsdic dsf dsg dsk dsl dsn dsp dsy dtd dtm dtml dtp dtx dump dvb dvd dvi dvs dvx dvz dwd dwdoc dwf dwfx dwg dwlibrary dwp dwt dxb dxd dxe dxf dxg dxn dxr dxstudio dzp a$v a2c a5zfn aa aa3 aaa aac aaf aah aaui ab4 ab65 abc abk abt abw ac2 ac3 ac5 acc accdb accde accdr accdt ace acf ach acp acr acrobatsecuritysettings acrodata acroplugin acrypt act ad ada adb adc add ade adi adoc ados adox adp adpb adr ads adt aea aec aep aepx aes aet afdesign afm afp agd1 agdl age3rec age3sav age3scn age3xrec age3xsav age3xscn age3yrec age3ysav age3yscn ahf ai aif aiff aim aip ais ait ak al al8 ala alb3 alb4 alb5 alb6 ald ali allet alt3 alt5 amf aml amr amt amu amx amxx anl ann ans ansr anx aoi ap apa apd ape apf api apj apk apnx apo app approj apr apt apw apxl arc arch00 arff ari arj aro arr ars arw as as$ as3 asa asc ascm ascx asd ase asf ashx ask asl asm asmx asn asnd asp aspx asr asset ast asv asvx asx ath atl atomsvc atw automaticdestinations-ms aux av avi avn avs awd awe awg awp aws awt aww awwp ax axx azf azs azw azw1 azw3 azw4 b b2 b27 b2a back backup backupdb bad bak bak~ bamboopaper bank bar bau bax bay bbcd bbl bbprojectd bbs bbxt bc5 bc6 bc7 bcd bck bcp bdb bdb2 bdp bdr bdt2 bdt3 bean bfa bgt bgv bi8 bib bibtex bic big bik bil bin bina bitstak bizdocument bjl bk bk! bk1 bk2 bk3 bk4 bk5 bk6 bk7 bk8 bk9 bkf bkg bkp bks bkup bld blend blend2 blg blk blm blob blp bmc bmf bmk bml bmm bmml bmp bmpr bna boc book bop bp1 bp2 bp3 bpf bpk bpl bpm bpmc bps bpw brd breaking_bad brh brl brs brx bsa bsk bso bsp bst btc btd btf btoa btx burn burntheme bvd bwd bwf bwp bxx bzabw c c2e c6 cache cad cadoc cae cag calca cam camproj cap capt car caro cas cat catdrawing catfct catpart catproduct cawr cbf cbor cbr cbz cc ccc cccrrrppp ccd ccf cch ccitt cd cd1 cd2 cdc cdd cddz cdf cdi cdk cdl cdm cdml cdmm cdmz cdpz cdr cdr3 cdr4 cdr5 cdr6 cdrw cds cdt cdtx cdw cdx cdxml ce1 ce2 cef cer cerber cerber2 cerber3 cerc cert cf5 cfd cfg cfm cfp cfr cgf cgfiletypetest cgi cgm cgp cgr chi chk chm chml chmprj chp chpscrap cht chtml cib cida cif cipo civ4worldbuildersave civbeyondswordsave cl2arc cl2doc clam clarify class clb clkd clkt clp clr cls clx cmf cml cmp cms cmt cmu cnf cng cnt cnv cod col comicdoc comiclife compositionmodel compositiontemplate con conf config contact converterx coverton cp cpc cpd cpdt cphd cpi cpio cpp cpr cpy cr2 crashed craw crb crd creole cri crinf crjoker crptrgr crs crs3 crt crtr crw crwl cry cryp1 crypt crypted cryptolocker cryptowall cryptra crypz cs cs8 csa cse csh csi csl cso csp csr css cst csv ctbl ctd cte ctf ctl ctt ctxt cty cue current cvj cvl cvw cw3 cwf cwk cwn cwr cws cwwp cyi cys czvxce e3s e4a eap easmx ebc ebk ebs ec4 ecc ecr edb edd edf edl edml edn edoc edrwx edt edz efa efax eff efl efm efr eftx efu efx egr egt ehp eif eip ekm el6 eld elf elfo eln emc emf eml emlxpart emm enc enciphered encrypt encrypted enfpack enigma ent enx enyd eob eot ep epdf epf epk eprtx eps epsf ept epub eql erbsql erd ere erf err es es3 esc esd esf esm esp ess esv et ete etng etnt ets etx euc evf evo evy ewl ex exc exd exf exif exprwdhtml exprwdxml exx ez ezc ezm ezs ezz f4v f90 f96 fac fadein fae fantom faq fax fb2 fbd fbp6 fbs fcd fcf fcstd fd fdb fdf fdoc fdr fds fdseq fdw fdx fed feed-ms feedsdb-ms ff ffa ffd ffdata fff ffl ffo fft ffx fh fhd fig fin fl fla flac flag flat flf flib flka flkb flm flp fls flt fltr flv flvv fly fm fm3 fmc fmd fmf fml fmp fmp3 fnf fo fodg fodp fods fodt folio for forge fos fountain fp fpage fpdoclib fpenc fphomeop fpk fplinkbar fpp fpt fpx fra frag frdat frdoc freepp frelf frm fs fsc fsd fsf fsh fsp fss ft10 ft11 ft7 ft8 ft9 ftil ftr fun fwk fwtemplate fxd fxg fxo fxr fzh fzip ga3 gam gan gbr gcsx gct gdb gdc gdoc ged gev gevl gfe gform gfx ggb ghe gho ghs gif gil giw glink glk glo glos gly gml gmp gnd gno gofin good gp4 gpd gpf gpg gpn gpx gpz gra grade gray grey grf grk grle groups gry gs gsa gsf gsheet gslides gsm gthr gtp gui gul gv gvi gxk gxl gz gzig gzip h h1q h1s h1w h2o h3m h4r ha3 haml hbk hbl hbx hcl hcw hda hdd hdl hdr hdt hdx hed help helpindex herbst hex hfd hft hhs hkdb hkx hlf hlp hlx hlx2 hlz hm2 hmskin hnd hoi4 hot hp2 hpd hpj hplg hpo hpp hps hpt hpw hqx hrx hs hsm hsx hta htm html htmls htmlz htms htm~ htpasswd htz5 hvpl hw3 hwp hwpml hwt hxe hxi hxq hxr hxs hyp hype iab iaf ial ibank ibcd ibd ibk ibooks ibz icalevent icaltodo icc icml icmt ico ics icst icxs idap idc idd idl idml idp idx ie5 ie6 ie7 ie8 ie9 iff ifp ign igr igs ihf ihp iif iiq iks ila ildoc img imp imr incp incpas ind indb indd indl indp indt inf info ink inld inlk inp inprogress inrs inss installhelper insx internetconnect inx ioca iof ipa ipf ipr ish1 ish2 ish3 iso ispx isu isz itdb ite itl itm itmz itp its ivt iw44 iwa iwd iwi iwprj iwtpl ix ixv jac jar jav java jb2 jbc jbig jbig2 jc jdd jfif jge jgz jhd jiaf jias jif jiff jnt joe jp1 jpc jpe jpeg jpf jpg jpgx jpm jpw jrf jrl jrprint js jsd json jsp jspa jspx jtd jtdc jtt jtx just jw jwl jww k25 kbd kbf kc2 kdb kdbx kdc kde kdf kernel_complete kernel_pid kernel_time kes key key-tef keybtc@inbox_com keynote kf kfm kfp kid kimcilware kkk klq klw kml kmz knt kos kpdx kpr kraken kratos ksd ksp kss ksw kuip kwd kwm kwp laccdb lastlogin lat latex lax lay lay6 layout lbf lbi lbl lcd lcf lcn ldb ldf lechiffre legion lfe lgp lhd lib lit litemod ll3 llv lmd lngttarch2 localstorage locked locky log logonxp lok lol! lot lp lp2 lp7 lpa lpc lpd lpdf lpx lrf ls5 lst ltcx ltm ltr ltx lua lvd lvivt lvl lvw lwd lwo lwp lyx m m13 m14 m2 m2ts m3u m3u8 m4a m4p m4u m4v m7p ma maca mag magic maker maml man manu map mapimail marc markdn mars mass max maxfr maxm mb mbbk mbox mbx mc9 mcd mcdx mcf mcgame mcmac mcmeta mcrp mcw md md0 md1 md2 md3 md5 mda mdb mdbackup mdbhtml mdc mdccache mddata mdf mdg mdi mdk mdl mdn mds mecontact med mef meh mell mellel menu meo met metadata_never_index mf mfa mfp mfw mga mgmt mgourmet mgourmet3 mhp mht mhtenx mhtmlenx mi mic micro mid mif mim mime mindnode mip mission mix mjd mjdoc mke mkv mla mlb mlj mlm mls mlsxml mlx mm mm6 mm7 mm8 mmap mmc mmd mme mmjs mml mmo mmsw mmw mny mo mobi mod moneywell mos mov movie moz mp1 mp2 mp3 mp4 mp4v mpa mpe mpeg mpf mpg mph mpj mpp mpq mpqge mpr mpt mpv mpv2 mrd mru mrw mrwref ms ms-tnef msd mse msg mshc msi msie msl mso msor msp msq msw mswd mtdd mtml mto mtp mts mtx mug mvd mvdx mvex mwd mwii mwpd mwpp mws mxd mxg mxp myd mydocs myi mz n3 narrative nav navmap nb nbak nbf nbk nbp ncd ncf nd ndd ndf ndl ndr nds ne1 ne3 nef nfo nfs11save ng njx nk2 nmbtemplate nmu nokogiri nop note now npd npdf npp npt nrbak nrg nri nrl nrmlib nrw ns2 ns3 ns4 nsd nsf nsg nsh nst ntf ntl ntp nts number numbers nvd nvdl nvram nwb nwbak nwcab nwcp nx1 nx2 nx^d nx__ nxl nyf oa2 oa3 oab oad oas obd obj obr obt obx obz ocdc ocs oda odb odc odccubefile odcodc odf odg odh odi odif odm odo odp ods odt odt# odttf odz officeui ofn oft oga ogc ogg oil ojz okm ole ole2 olf olv oly omlog omp onb one oos oot opd opf opj oplx opn opt opx opxs orf ort osd osdx ost otc otf otg oth oti otn otp ots ott otw out ovd owl oxps oxt p10 p12 p2s p3x p5tkjw p65 p7b p7c p7z pab pack pad padcrypt pages pages-tef pak paq pas pat paux paym paymrss payms paymst paymts payrms pays pbd pbf pbk pbp pbr pbs pbx5script pbxscript pcd pcf pcj pct pcv pcw pd pdb pdc pdcr pdd pdf pdf_ pdf_profile pdf_tsid pdfa pdfe pdfenx pdfl pdfua pdfvt pdfx pdfxml pdfz pdg pdp pdz peb pef pem pez pf pfc pfd pfl pfm pfsx pft pfx pg pgs php phr phs pif pih pixexp pj2 pj4 pj5 pk pkb pkey pkg pkh pkpass pl plan plb plc pld pli pln plus_muhd pm pm3 pm4 pm5 pm6 pm7 pmd pmt pmv pmx png pnu po poar2w pod pool pot pothtml potm potx pp3 ppam ppd ppdf ppf ppj ppp pps ppsenx ppsm ppsx ppt ppte ppthtml pptl pptm pptmhtml pptt pptx ppws ppx prc prd pref prel prf prj prn pro pro4 pro4dvd pro5 pro5dvd pro5plx pro5x proofingtool props proqc prproj prr prs prt prtc prv ps ps2 ps3 psa psafe3 psb psd pse8db psf psg psi2 psip psk psmd pspimage pst psw psw6 pswx psz pszx pt3 pt6 ptc ptf pth ptk ptn ptn2 pts ptx pub pubf pubhtml pubmhtml pubx purge puz pvd pve pvf pw pwd pwe pwf pwi pwm pwp pwre pxd pxl pxp py pys pzc pzdc pzf pzt qba qbb qbl qbm qbr qbw qbx qby qch qcow qcow2 qct qdf qed qel qfl qfxx qhp qht qhtm qic qif qlgenerator qpx qrt qt qtq qtr qtw quox qvw qwd qwt qxb qxd qxl qxp qxt r00 r01 r02 r03 r0f r0z r3d r5a ra ra2 raf ram ramd rap rar rat raw razy rb rbc rcb rd rd1 rdb rdf rdfs rdi rdm rdo rdoc rdoc_options rdz re4 rec recources rekt rels res resbuild rest result rev rf rf1 rft rgn rgo rgss3a rha rhif rim rit rlf rll rm rm5 rmd rmf rmh rna rnd rng rnt rnw ro3 rofl roi rokku ros rov row rox rpf rpt rptr rrd rrk rrpa rrt rrx rs rsdf rsdoc rsm rsp rsrc rss rst rsw rt rt_ rtdf rte rtf rtf_ rtfd rtk rtpi rts rtsl rtsx rtx rum run rv rvf rvt rw2 rwl rwlibrary rwz rxdoc rzk rzx s3db s8bn sa5 sa7 sa8 saas sad saf safe safetext sam sas7bdat sav save say sb sbn sbo sbpf sbsc sbst sbx sc2save scd scdoc sce sch scm scmt scn scr scriv scrivx scs scspack scssc sct scw scx sd sd0 sd1 sda sdb sdc sdd sddraft sdf sdi sdl sdmdocument sdn sdo sdoc sdp sdr sds sdt sdv sdw search-ms secure securecrypted sef sel sen seq sequ server ses set setup sev sf sff sfs sfx sgf sgi sgl sgm sgml sgz sh sh6 shar shb show shp shr shs shtml shw shx shy sic sid sidd sidn sie sik sis sky sla sldasm sldm sldprt sldx slf slk slm sln slt slz sm smd sme smf smh smlx smn smp sms smwt smx smz snb snf sng snk snp snt snx so soi spb spd spdf spk spl spm spml sppt spr sprt sprz spt sql sqlite sqlite3 sqlitedb sqllite sqx sr2 src srf srfl srs srt srw ssa ssh ssi ssiw ssm ssx st4 st5 st6 st7 st8 stc std step sti stl stm stp stpz struct stt stw stx stxt sty sud suf sum surf surprise svd svdl svg svi svm svn svp svr svs swd swdoc sweb swf switch swp sxc sxd sxe sxg sxi sxl sxm sxml sxw syn syncdb szf t t01 t03 t05 t10 t12 t13 t14 t2 t2k t2t t4g t80 ta1 ta2 ta9 tabula-doc tabula-docstyle tah tar tax tax2009 tax2013 tax2014 tb tbb tbd tbk tbkx tbl tbz2 tcd tch tck tcx tdg tdl tdoc tdr te1 template tex texi texinfo text textclipping textile tfd tfm tfr tfrd tg tga tgz thm thml thmx thr tib tif tiff tjp tk3 tlb tld tlg tlt tlx tlz tm tm3 tmb tmd tml tmlanguage tmv tmz tns tnsp toast toc topx tor torrent totalslayout tp tpl tpo tpsdb tpu tpx trashinfo trif trp ts tsc tt11 tt2 ttax ttt ttxt tu tur tvd twdi twdx tww tx txd txe txf txm txn txt txtrpt u3d uax ubz ucd udb udf udl uea uhtml ukr ulf uli ulys ump umx unity3d unr unx uof uop uos uot updf upk upoi upp urd-journal urf url urp usa usx ut2 ut3 utc utd ute utf8 uti utm uts utx uu uud uue uvx uxx v v2i v2t val vault vb vbadoc vbd vbk vbox vbs vc vcal vcd vce vcf vcproj vcxproj vdf vdi vdo vdoc vdt venusf ver vf vfs0 vhd vhdx view viz vlc vlt vmbx vmdk vmf vmg vmm vmsd vmt vmx vmxf vob voprefs vor vp vpk vpl vpp_pc vs vsd vsdx vsf vsi vspolicy vst vstx vtf vthought vtv vtx vvv vw vw3 w w2p w3g w3x w51 w52 w60 w61 w6bn w6w w8bn w8tn wab wad waff wallet wallet001 war wav wave waw wb wb2 wb3 wbk wbt wbxml wbz wcf wcl wcn wcp wcst wd0 wd1 wd2 wdbn wdgt wdl wdn wdoc wdx9 web webdoc webpart wep wflx wht windows10 wiz wk! wk1 wk3 wk4 wkb wki wkl wks wlb wld wll wls wlxml wm wm2d wma wmd wmdb wmf wmga wmk wml wmlc wmmp wmo wms wmv wmx wn wolf word wordlist wotreplay wow wp wp42 wp5 wp50 wp6 wp7 wpa wpc2 wpd wpd0 wpd1 wpd2 wpd3 wpe wpf wpk wpl wpost wps wpt wpw wr1 wrf wri wrlk ws ws1 ws2 ws3 ws4 ws5 ws6 ws7 wsc wsd wsh wsp wtbn wtd wtf wtmp wtp wts wtt wtx wvw wvx wwcx wwi wwl wws wwt wxmx wxp wyn wzn wzs x11 x16 x3f x3g xamlx xar xav xbd xbrl xci xcodeproj xda xdc xdf xdo xdoc xdw xf xfd xfdf xfi xfl xfn xfo xfp xfx xgml xht xhtm xhtml xif xig xis xjf xl xla xlam xlb xlc xle xlf xline xlist xlk xll xlm xlnk xlr xls xlsb xlse xlshtml xlsl xlsm xlst xlsx xlsx3gp xlsxl xlt xlthtml xltm xltx xlv xlw xlwx xma xmdf xml xmmap xmn xmp xms xmt_bin xmta xmvl xpd xpi xpm xps xpse xpt xpwe xqm xqr xqx xrdml xsc xsd xsig xsl xslt xtbl xtd xtg xtml xtps xtrl xv0 xv2 xv3 xvg xvid xvl xwd xweb3htm xweb3html xweb4stm xweb4xml xwf xwp xxe xxx xy xy3 xy4v xyd xyz yab ycbcra yenc yml ync yps yuv z02 z04 zap zcrypt zepto zip zip73i87a zipx zoo zps ztmp ztmp$efs zyklon zzz
It avoids encrypting files with the following strings in their file name:
- RecoveryManual.html
- ReadManual.{Generated ID}
It avoids encrypting files found in the following folders:
- System Volume Information
- $RECYCLE.BIN
- Windows
- $WINDOWS.~BT
- Windows.old
- Program Files
- Program Files (x86)
- WINNT
- NVIDIA
- SYSTEM.SAV
- PerfLog
- Intel
- Games
- Temp
- tmp
- microsoft
It appends the following extension to the file name of the encrypted files:
- .ReadManual.{Generated ID}
It drops the following file(s) as ransom note:
- {Encrypted Folder}\RecoveryManual.html
SOLUTION
9.800
16.272.02
07 Oct 2020
16.273.00
08 Oct 2020
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Classes\.{Generated ID}\shell\Open\command
- (Default) = explorer.exe RecoveryManual.html
- (Default) = explorer.exe RecoveryManual.html
Step 5
Search and delete this file
- {Encrypted Folder}\RecoveryManual.html
Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as Ransom.Win32.MOUNTLOCKER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 7
Restore encrypted files from backup.
Did this description help? Tell us how we did.