DeltaCERT Advisory: #45-11/2/2019

A new strain of Ransomware titled EVOLUTION has attacked organizations in Pakistan resulting in AES encryption of critical database files on Microsoft SQL Server, and Oracle DB servers residing on Microsoft operating system. The Ransomware has the capability to track live network shares used for automated backup and will encrypt all network accessible backup folders. The result of this Ransomware attack has been that organizations are loosing their ENTIRE DATA placed on primary database servers and network accessible backup locations.


Organizations are strongly advised to review their entire backup mechanism and take backups of CRITICAL BUSINESS DATA as per following recommendations:

  1. Take offline backup of critical organizational data on immediate basis and disconnect from any live network shares (place offline and disconnect from ALL network access once backup is taken).
  2. Review your RTO/RPO for backups and DR
  3. Increase and enhance frequency of your critical data backups so critical data is fully recoverable
  4. Consider cross-platform, multi-location critical backups executed by manual human intervention (do not rely on auto-backups conducted through live network shares)
  5. Test integrity and recoverability of critical data through increased frequency of DR drills


  1. Maintain a tight and disciplined vulnerability management (patching) program
  2. International best-practice for full VM remediation cycle is once every 7 days (scan and patch)
  3. Execute an emergency vulnerability management scan on your network immediately to gain visibility on extent of vulnerabilities; prioritize and patch CRITICAL, HIGH and then MEDIUM vulnerabilities
  4. Maintain updated anti-virus on all systems
  5. Use leading anti-ransomware solutions, and virtual patching solutions
  6. Increase and enhance awareness for IT users on how to handle spam and phishing attacks

For further information, please contact DeltaCERT team at:

DeltaCERT Advisory Team