This malware is distributed via hacked RDP connections. Once started, it first terminates some processes from its denylist, then deletes shadow copies of all volumes, disables Windows recovery options, deletes backups and turns off the firewall. After that, it starts the encryption process. The malware encrypts files with extensions from a large list. This list includes a large number of user file extensions, such as documents, images, and music. It encrypts files by using the AES cypher, on all logical drives and network shares. The AES key is unique for each drive.