Ransomware Research
Exerwa Ransomware
Exerwa is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2020, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Exerwa CTF.
Quick Facts
- Ransomware Family
- Exerwa
- First Seen
- November 1, 2020
- Known Aliases
- Exerwa CTF
How Exerwa Ransomware Works
Targeted Files
Doc file with macro that drops and decrypts exe and ps1 Encrypts files in %USERPROFILE%+\Documents\PaTswyq4jo folder only
File Encryption Patterns
Exerwa modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..exerwa
Technical Indicators
Associated Executable Files
The following executable files are associated with Exerwa ransomware:
Patent_656419797_as-of-27thJune2020.doc
Elastio Can Help You
Don't let Exerwa ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Exerwa ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Exerwa.
Last updated: July 30, 2025