A ransomware strain identified in April 2020. The specific sample analyzed by the researchers was seen active in the wild in May 2020. It operates similarly to most ransomware families. Encrypted strings are decrypted upon execution using WinCrypt functions in conjunction with a hard coded AES-256 key. Persistence is then established via a Registry Run key. It is noted that most malware families first copy the executable to a protected folder, but this ransomware leaves it in the original location. After persistence has been established, anonymous pipes are created that will subsequently used to execute sc.exe in order to delete services based on a hard coded list. Processes that may prevent encryption of user files are also killed. Files are then encrypted and volume shadow copies are deleted using vssadmin. Lastly, the ransom note is dropped, which requests the user visit a Tor site for further instructions.