Hey could you tell me where can I download the sample and run the test please?
It’s odd that this malware is presented as ransomware. Yes, it does drop ransomware notes in a few places, but otherwise it is a scriptor that deletes personal files (jpg’s, doc’s, etc). Recovery is quite easy using an search and undelete application like EaseUS.
A much more elegant ransomware that actually does plop files into password protected archive is something like https://www.virustotal.com/gui/file/c285e376201e2941154ec1a9acd8658cd5e0ea975c694a3fe3e9a9897efc2680/detection
Odd also is that a specific build of CIS would allow anything to be deleted as previous builds never did and the current application also protects. The initial malware file is sandboxed, as is the resultant spawn (rar.exe, taskkill, certultil, at, dllhost, etc.)
Finally it is a good idea to let the firewall show popups (unlike in the video) for stuff that should not be connecting out. certutil.exe attempting a connection to somewhere in China (Hangzhou?) is never a good thing.
I have HIPS enabled with the option to “do not show popup alerts” set to “block requests” no issues.