Ransom:Win32/Cryptolocker!dha - Windows Defender Threat Analysis

This threat is a concrete detection of Ransom:Win32/Cryptolocker!dha, a variant of the notorious Cryptolocker ransomware family. It encrypts user files, appending extensions like .Encode or .Lock, and displays a ransom note (e.g., Cryptolocker.txt, How To Decrypt Files.txt) demanding Bitcoin payment. The malware also attempts to delete shadow volume copies using 'vssadmin.exe Delete Shadows /All /Quiet' to prevent data recovery.

Relevant strings associated with this threat:
 - Advanced Ransi\Advanced Ransi\obj\Debug\Advanced Ransi.pdb (PEHSTR_EXT)
 - Your Computer Got Sniped by AcroWare Cryptolocker! (PEHSTR_EXT)
 - Advanced_Ransi. (PEHSTR_EXT)
 - Advanced Ransi.exe (PEHSTR_EXT)
 - YOUR COMPUTER GOT LOCKED (PEHSTR_EXT)
 - https://bitpay.com/pay-with-bitcoin (PEHSTR_EXT)
 - Cryptolocker.txt (PEHSTR_EXT)
 - Help to decrypt.txt (PEHSTR_EXT)
 - \SOFTWARE\Lucy (PEHSTR_EXT)
 - *.txt (PEHSTR_EXT)
 - /*.odt (PEHSTR_EXT)
 - /*.wps (PEHSTR_EXT)
 - Cryptolocker (PEHSTR_EXT)
 - .Encode (PEHSTR_EXT)
 - File.Lusy (PEHSTR_EXT)
 - key2.ico (PEHSTR_EXT)
 - Rasomware2.0 (PEHSTR_EXT)
 - AlbCry 2.0 (PEHSTR_EXT)
 - AlbCry.g.resources (PEHSTR_EXT)
 - How To Decrypt Files.txt (PEHSTR_EXT)
 - .Lock (PEHSTR_EXT)
 - Encryption Complete (PEHSTR_EXT)
 - Ransomware2.0 (PEHSTR_EXT)
 - Rasomware2._0.Properties.Resources (PEHSTR_EXT)
 - Your computer files have been encrypted (PEHSTR_EXT)
 - vssadmin.exe Delete Shadows /All /Quiet (PEHSTR_EXT)
 - .[Crimsonware@protonmail.ch] (PEHSTR_EXT)
 - INFO.hta (PEHSTR_EXT)
 - .jcrypt (PEHSTR_EXT)
 - .cryptshield (PEHSTR_EXT)
 - .birbb (PEHSTR_EXT)
 - ransom.Properties.Resources (PEHSTR_EXT)
 - Baddy.Resources (PEHSTR_EXT)
 - .baddy (PEHSTR_EXT)
 - Wrong.Hahaha. (PEHSTR_EXT)
 - Crapsomware.Properties (PEHSTR_EXT)
 - cryptolocker (PEHSTR_EXT)
 - KEY.cryptolocker (PEHSTR_EXT)
 - Recovery Information.txt (PEHSTR_EXT)
 - .WeSt Net Fake (PEHSTR_EXT)
 - ransom.jpg (PEHSTR_EXT)
 - @protonmail.com (PEHSTR_EXT)
 - .onion (PEHSTR_EXT)
 - Decryption Program for Cryptolocker (PEHSTR_EXT)
 - cryptolocker.exe (PEHSTR_EXT)
 - Please_Read.txt (PEHSTR_EXT)
 - @mail.com (PEHSTR_EXT)
 - .cring (PEHSTR_EXT)
 - deReadMe!!!.txt (PEHSTR_EXT)
 - .locked (PEHSTR_EXT)
 - Annabelle.exe (PEHSTR_EXT)
 - encrypted_sound.wav (PEHSTR_EXT)
 - .crypt (PEHSTR_EXT)
 - .HANTA (PEHSTR_EXT)
 - RSAKey.txt (PEHSTR_EXT)
 - .Encrypted (PEHSTR_EXT)
 - .encrypted (PEHSTR_EXT)
 - locked.zip (PEHSTR_EXT)
 - Ionic.Zlib (PEHSTR_EXT)
 - randomkey.bin (PEHSTR_EXT)
 - .RENSENWARE (PEHSTR_EXT)
 - .Crypted (PEHSTR_EXT)
 - .ncovid (PEHSTR_EXT)
 - /C sc delete VSS (PEHSTR_EXT)
 - kWYZrzIYZR.html (PEHSTR_EXT)
 - rdpunlocker1@cock.li (PEHSTR_EXT)
 - /C vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
 - covid.Properties (PEHSTR_EXT)
 - Encryption Completed (PEHSTR_EXT)
 - EncryptionNotComplet (PEHSTR_EXT)
 - .wnry (PEHSTR_EXT)
 - RECYCLER\__empty (PEHSTR_EXT)
 - System Volume Information\__empty (PEHSTR_EXT)
 - vssadmin.exe delete shadows /all /Quiet (PEHSTR_EXT)
 - /c vssadmin.exe delete shadows /quiet /all (PEHSTR_EXT)
 - @tutanota.com (PEHSTR_EXT)
 - .CrYpTeD (PEHSTR_EXT)
 - /c vssadmin.exe delete shadows /all /quiet (PEHSTR_EXT)
 - READ_IT.txt.locked (PEHSTR_EXT)
 - Ransomware.dll (PEHSTR_EXT)
 - .test (PEHSTR_EXT)
 - .DARXIS (PEHSTR_EXT)
 - .DcRat (PEHSTR_EXT)
 - FridayProject.Properties (PEHSTR_EXT)
 - encKey.aes (PEHSTR_EXT)
 - SAYGOODBYE.exe2 (PEHSTR_EXT)
 - ___RECOVER__FILES__.heart.txt (PEHSTR_EXT)
 - .kanmani (PEHSTR_EXT)
 - \Heartbeat\keys.json (PEHSTR_EXT)
 - DECRYPTION_LOG.txt (PEHSTR_EXT)
 - .crypted (PEHSTR_EXT)
 - DECRYPT_ReadMe1.TXT (PEHSTR_EXT)
 - .hjgkdf (PEHSTR_EXT)
 - .NotStonks (PEHSTR_EXT)
 - DeletedFilesAmmount.txt (PEHSTR_EXT)
 - friendly.cyber.criminal2 (PEHSTR_EXT)
 - This computer has been hacked (PEHSTR_EXT)
 - .givemenitro (PEHSTR_EXT)
 - .deria (PEHSTR_EXT)
 - vssadmin Delete shadows /all /quiet2 (PEHSTR_EXT)
 - aaa_TouchMeNot_.txt (PEHSTR_EXT)
 - .amogus (PEHSTR_EXT)
 - del /s /f /q C:\*.VHD (PEHSTR_EXT)
 - window.bat (PEHSTR_EXT)
 - UnlockYourFiles.Login (PEHSTR_EXT)
 - UnlockYourFiles.Properties.Resources (PEHSTR_EXT)
 - V2._0.Properties2 (PEHSTR_EXT)
 - insane_uriel_by_urielstock_4.jpg (PEHSTR_EXT)
 - .kuru (PEHSTR_EXT)
 - .henry217 (PEHSTR_EXT)
 - desktop.ini (PEHSTR_EXT)
 - Executioner Ransomware (PEHSTR_EXT)
 - .Kern (PEHSTR_EXT)
 - Runcount.cry2 (PEHSTR_EXT)
 - checkip.dyndns.org (PEHSTR_EXT)
 - .dolphin (PEHSTR_EXT)
 - hidden_tear.Properties (PEHSTR_EXT)
 - .matryoshka2 (PEHSTR_EXT)
 - .Baphomet2 (PEHSTR_EXT)
 - bapho.jpg (PEHSTR_EXT)
 - yourkey.key (PEHSTR_EXT)
 - ipinfo.io (PEHSTR_EXT)
 - READ_ME.crypted.txt (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet & wmic shadowcopy delete (PEHSTR_EXT)
 - read_it.txt (PEHSTR_EXT)
 - .palestine2 (PEHSTR_EXT)
 - Rasomware2.02 (PEHSTR_EXT)
 - UrFile.TXT (PEHSTR_EXT)
 - .army (PEHSTR_EXT)
 - .arsium (PEHSTR_EXT)
 - Rasomware2._0 (PEHSTR_EXT)
 - friendly.cyber.criminal (PEHSTR_EXT)
 - .AES64 (PEHSTR_EXT)
 - Your computer has been infected2 (PEHSTR_EXT)
 - .rsjon (PEHSTR_EXT)
 - .jasmin (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet (PEHSTR_EXT)
 - READ_ME_PLZ.txt (PEHSTR_EXT)
 - .malki (PEHSTR_EXT)
 - LockScreen (PEHSTR_EXT)
 - .sick (PEHSTR_EXT)
 - warning.BackgroundImage (PEHSTR_EXT)
 - .firecrypt (PEHSTR_EXT)
 - .chaos (PEHSTR_EXT)
 - .DarkCry (PEHSTR_EXT)
 - @sigaint.org (PEHSTR_EXT)
 - Ransomware.exe2 (PEHSTR_EXT)
 - Stub.Properties.Resources (PEHSTR_EXT)
 - .DEDSEC (PEHSTR_EXT)
 - .deadsecure (PEHSTR_EXT)
 - NoCry.pdb (PEHSTR_EXT)
 - NitroRansomware. (PEHSTR_EXT)
 - .resources (PEHSTR_EXT)
 - .FancyLeaks (PEHSTR_EXT)
 - LegionLocker4._0 (PEHSTR_EXT)
 - protonmail.com (PEHSTR_EXT)
 - IMPORTANT READ ME.html (PEHSTR_EXT)
 - mimikatz_trunk.zip (PEHSTR_EXT)
 - vssadmin Delete Shadows /all /quiet (PEHSTR_EXT)
 - .Legion (PEHSTR_EXT)
 - Your important files videos, music, images, documents ... etc are encrypted with encryption (PEHSTR_EXT)
 - .fucking (PEHSTR_EXT)
 - decryptor.exe2 (PEHSTR_EXT)
 - RSA_Keys.pub (PEHSTR_EXT)
 - All of your files have been encrypted. (PEHSTR_EXT)
 - No files to FUCK. (PEHSTR_EXT)
 - READ_THIS_TO_DECRYPT. (PEHSTR_EXT)
 - RansomeWare.Form1.resources (PEHSTR_EXT)
 - rk-2.exe2 (PEHSTR_EXT)
 - /C icacls %USERPROFILE%\Documents\* /grant Everyone:F /T /C /Q (PEHSTR_EXT)
 - Test\READ_IT.txt (PEHSTR_EXT)
 - Your important files videos, music, images, documents ... etc are encrypted with encryption2 (PEHSTR_EXT)
 - YJSNPIL0cker (PEHSTR_EXT)
 - Message.txt (PEHSTR_EXT)
 - Tor\explorer.exe (PEHSTR_EXT)
 - bcdedit /set {default} recoveryenabled no (PEHSTR_EXT)
 - ranso4.jpg (PEHSTR_EXT)
 - .deltapaymentbitcoin (PEHSTR_EXT)
 - killer@killercom (PEHSTR_EXT)
 - unlock your files.lnk (PEHSTR_EXT)
 - what_happened_to_my_music.txt (PEHSTR_EXT)
 - files/alertmsg.zip (PEHSTR_EXT)
 - ro@tb@la@u.@eu@:1@53 (PEHSTR_EXT)
 - Your computer has been infected by a Ransomware (PEHSTR_EXT)
 - @tutanota.com  (PEHSTR_EXT)
 - \Windows\Temp\Magix.exe (PEHSTR_EXT)
 - video_pro_x.exe (PEHSTR_EXT)
 - /_/_/_/_/_/ (PEHSTR_EXT)
 - RansomwarePOC.covidblo (PEHSTR_EXT)
 - .porn.txt (PEHSTR_EXT)
 - Pussie Locker.pdb (PEHSTR_EXT)
 - $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length) (PEHSTR_EXT)
 - powershell -ExecutionPolicy ByPass -File (PEHSTR_EXT)
 - -Suffix '.locked' -RemoveSource (PEHSTR_EXT)
 - Readme_now.txt (PEHSTR_EXT)
 - cry.ps1 (PEHSTR_EXT)
 - /C kill.bat (PEHSTR_EXT)
 - biorain@protonmail.com (PEHSTR_EXT)
 - \Antivirus.bat (PEHSTR_EXT)
 - taskkill /IM mspub.exe /F (PEHSTR_EXT)
 - net stop BMR Boot Service /y (PEHSTR_EXT)
 - bcdedit /set {default} recoveryenabled No (PEHSTR_EXT)
 - Nominatus_ToxicBattery.pdb (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet && wmic shadowcopy delete && net users  (PEHSTR_EXT)
 - SOFTWARE\Malwarebytes\Ekati\ (PEHSTR_EXT)
 - /c vssadmin.exe delete shadows (PEHSTR_EXT)
 - .sick2 (PEHSTR_EXT)
 - ghostbin.com (PEHSTR_EXT)
 - HELP.txt (PEHSTR_EXT)
 - Payload.LockForm.resources (PEHSTR_EXT)
 - Crypto Locker\Payload\obj\Release\Payload.pdb (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Immediately isolate the infected machine from all networks. Perform a full system scan with updated antivirus software to remove the malware. Restore encrypted files from recent, verified clean backups, and under no circumstances pay the ransom. Implement robust backup strategies and conduct user awareness training to prevent future infections.