Ransom.MSIL.THANOS.FAIT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It encrypts files with specific file extensions. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• taskkill" /F taskkill.exe /IMRaccineSettings.exe
• reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• reg" delete HKCU\Software\Raccine /F
• schtasks" /DELETE /TN "Raccine Rules Updater" /F
• cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• sc.exe config Dnscache start= auto
• sc.exe config FDResPub start= auto
• sc.exe config SSDPSRV start= auto
• sc.exe config upnphost start= auto
• sc.exe config SQLTELEMETRY start= disabled
• sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
• sc.exe config SQLWriter start= disabled
• sc.exe config SstpSvc start= disabled
• taskkill.exe /IMmspub.exe /F
• taskkill.exe /IMmydesktopqos.exe /F
• taskkill.exe /IMmydesktopservice.exe /F
• taskkill.exe /IMmysqld.exe /F
• taskkill.exe /IMsqbcoreservice.exe /F
• taskkill.exe /IMfirefoxconfig.exe /F
• taskkill.exe /IMagntsvc.exe /F
• taskkill.exe /IMthebat.exe /F
• taskkill.exe /IMsteam.exe /F
• taskkill.exe /IMencsvc.exe /F
• taskkill.exe /IMexcel.exe /F
• taskkill.exe /IMCNTAoSMgr.exe /F
• taskkill.exe /IMsqlwriter.exe /F
• taskkill.exe /IMtbirdconfig.exe /F
• taskkill.exe /IMdbeng50.exe /F
• taskkill.exe /IMthebat64.exe /F
• taskkill.exe /IMocomm.exe /F
• taskkill.exe /IMinfopath.exe /F
• taskkill.exe /IMmbamtray.exe /F
• taskkill.exe /IMzoolz.exe /F
• taskkill.exe /IMthunderbird.exe /F
• taskkill.exe /IMdbsnmp.exe /F
• taskkill.exe /IMxfssvccon.exe /F
• taskkill.exe /IMmspub.exe /F
• taskkill.exe /IMNtrtscan.exe /F
• taskkill.exe /IMisqlplussvc.exe /F
• taskkill.exe /IMonenote.exe /F
• taskkill.exe /IMPccNTMon.exe /F
• taskkill.exe /IMmsaccess.exe /F
• taskkill.exe /IMoutlook.exe /F
• taskkill.exe /IMtmlisten.exe /F
• taskkill.exe /IMmsftesql.exe /F
• taskkill.exe /IMpowerpnt.exe /F
• taskkill.exe /IMmydesktopqos.exe /F
• taskkill.exe /IMvisio.exe /F
• taskkill.exe /IMmydesktopservice.exe /F
• taskkill.exe /IMwinword.exe /F
• taskkill.exe /IMmysqld-nt.exe /F
• taskkill.exe /IMwordpad.exe /F
• taskkill.exe /IMmysqld-opt.exe /F
• taskkill.exe /IMocautoupds.exe /F
• taskkill.exe /IMocssd.exe /F
• taskkill.exe /IMoracle.exe /F
• taskkill.exe /IMsqlagent.exe /F
• taskkill.exe /IMsqlbrowser.exe /F
• taskkill.exe /IMsqlservr.exe /F
• taskkill.exe /IMsynctime.exe /F
• powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• %System%\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "{Malware Path}\{Malware File Name}.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It executes then deletes itself afterward.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\ba21af1d-a1b4-4f98-bda4-bf441d085299

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %Programs%\Startup\{Malware File Name}.exe
• %Programs%\Startup\mystartup.lnk

(Note: %Programs% is the folder that contains the user’s program groups, which is usually C:\Windows\Start Menu\Programs or C:\Documents and Settings\{User name}\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.)

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = Information...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeText = All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = Information...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticetext = All your files were encrypted, if you want to get them all back, please carefully read the text note located in your desktop...

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathsEnabled = 1

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG

Other Details

This Ransomware does the following:

• It encrypts all available drives (except for CDROMs).
• It empties the recycle bin.
• It terminates processes with private memory size larger than 209715200 bytes and its process name does not match the following strings:
• {Malware Name}
• chrome
• opera
• msedge
• iexplore
• firefox
• explorer
• wininit
• winlogon
• SearchApp
• SearchIndexer
• SearchUI
• It deletes the following subkeys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
• vssadmin.exe
• wmic.exe
• wbadmin.exe
• bcdedit.exe
• powershell.exe
• diskshadow.exe
• net.exe
• It scans specific database related file extensions:
• db
• dbf
• accdb
• dbx
• mdb
• mdf
• epf
• ndf
• ldf
• 1cd
• sdf
• nsf
• fp7
• cat
• log
• It checks if the following modules are loaded in memory:
• SbieDll.dll
• It checks the machine's manufacturer and model information if it has the following strings:
• VIRTUAL
• vmware
• VirtualBox
• It enumerates the following process:
• lsass.exe
• svchst.exe
• crss.exe
• chrome32.exe
• firefox.exe
• calc.exe
• mysqld.exe
• dllhst.exe
• opera32.exe
• memop.exe
• spoolcv.exe
• ctfmon.exe
• SkypeApp.exe
• It terminates the following services:
• avpsus
• McAfeeDLPAgentService
• mfewc
• BMR Boot Service
• NetBackup BMR MTFTP Service
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• RTVscan
• QBFCService
• QBIDPService
• Intuit.QuickBooks.FCS
• QBCFMonitorService
• YooBackup
• YooIT
• zhudongfangyu
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• veeam
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• AcrSch2Svc
• AcronisAgent
• CASAD2DWebSvc
• CAARCUpdateSvc
• sophos
• “Acronis VSS Provider”
• MsDtsServer
• IISAdmin
• MSExchangeES
• “Sophos Agent”
• EraserSvc11710
• “Enterprise Client Service”
• “SQL Backups
• MsDtsServer100
• NetMsmqActivator
• MSExchangeIS
• “Sophos AutoUpdate Service”
• SamSs
• ReportServer
• “SQLsafe Backup Service”
• MsDtsServer110
• POP3Svc
• MSExchangeMGMT
• “Sophos Clean Service”
• SMTPSvc
• ReportServer$SQL_2008
• “SQLsafe Filter Service”
• msftesql$PROD
• SstpSvc
• MSExchangeMTA
• “Sophos Device Control Service”
• ReportServer$SYSTEM_BGC
• “Symantec System Recovery”
• MSOLAP$SQL_2008
• UI0Detect
• MSExchangeSA
• “Sophos File Scanner Service”
• ReportServer$TPS
• “Veeam Backup Catalog Data Service”
• MSOLAP$SYSTEM_BGC
• W3Svc
• MSExchangeSRS
• “Sophos Health Service”
• ReportServer$TPSAMA
• “Zoolz 2 Service”
• MSOLAP$TPS
• “aphidmonitorservice”
• msexchangeadtopology
• “Sophos MCS Agent”
• AcrSch2Svc
• MSOLAP$TPSAMA
• “intel(r) proset monitoring service”
• msexchangeimap4
• “Sophos MCS Client”
• ARSM
• MSSQL$BKUPEXEC
• unistoresvc_1af40a
• “Sophos Message Router”
• BackupExecAgentAccelerator
• MSSQL$ECWDB2
• audioendpointbuilder
• “Sophos Safestore Service”
• BackupExecAgentBrowser
• MSSQL$PRACTICEMGT
• “Sophos System Protection Service”
• BackupExecDeviceMediaService
• MSSQL$PRACTTICEBGC
• “Sophos Web Control Service”
• BackupExecJobEngine
• MSSQL$PROD
• AcronisAgent
• BackupExecManagementService
• MSSQL$PROFXENGAGEMENT
• Antivirus
• BackupExecRPCService
• MSSQL$SBSMONITORING /
• MSSQL$SBSMONITORING
• AVP
• BackupExecVSSProvider
• MSSQL$SHAREPOINT
• DCAgent
• bedbg
• MSSQL$SQL_2008
• EhttpSrv
• MMS
• MSSQL$SQLEXPRESS
• ekrn
• mozyprobackup
• MSSQL$SYSTEM_BGC
• EPSecurityService
• MSSQL$VEEAMSQL2008R2
• MSSQL$TPS
• EPUpdateService
• ntrtscan
• MSSQL$TPSAMA
• EsgShKernel
• PDVFSService
• MSSQL$VEEAMSQL2008R2
• ESHASRV
• SDRSVC
• MSSQL$VEEAMSQL2012
• FA_Scheduler
• SQLAgent$VEEAMSQL2008R2
• MSSQLFDLauncher$PROFXENGAGEMENT
• KAVFS
• SQLWriter
• MSSQLFDLauncher$SBSMONITORING
• KAVFSGT
• VeeamBackupSvc
• MSSQLFDLauncher$SHAREPOINT
• kavfsslp
• VeeamBrokerSvc
• MSSQLFDLauncher$SQL_2008
• klnagent
• VeeamCatalogSvc
• MSSQLFDLauncher$SYSTEM_BGC
• macmnsvc
• VeeamCloudSvc
• MSSQLFDLauncher$TPS
• masvc
• VeeamDeploymentService
• MSSQLFDLauncher$TPSAMA
• MBAMService
• VeeamDeploySvc
• MSSQLSERVER
• MBEndpointAgent
• VeeamEnterpriseManagerSvc
• MSSQLServerADHelper
• McAfeeEngineService
• VeeamHvIntegrationSvc
• MSSQLServerADHelper100
• McAfeeFramework
• VeeamMountSvc
• MSSQLServerOLAPService
• McAfeeFrameworkMcAfeeFramework
• VeeamNFSSvc
• MySQL57
• McShield
• VeeamRESTSvc
• MySQL80
• McTaskManager
• VeeamTransportSvc
• OracleClientCache80
• mfefire
• wbengine
• ReportServer$SQL_2008
• mfemms
• wbengine
• RESvc
• mfevtp
• sms_site_sql_backup
• SQLAgent$BKUPEXEC
• MSSQL$SOPHOS
• SQLAgent$CITRIX_METAFRAME
• sacsvr
• SQLAgent$CXDB
• SAVAdminService
• SQLAgent$ECWDB2
• SAVService
• SQLAgent$PRACTTICEBGC
• SepMasterService
• SQLAgent$PRACTTICEMGT
• ShMonitor
• SQLAgent$PROD
• Smcinst
• SQLAgent$PROFXENGAGEMENT
• SmcService
• SQLAgent$SBSMONITORING
• SntpService
• SQLAgent$SHAREPOINT
• sophossps
• SQLAgent$SQL_2008
• SQLAgent$SOPHOS
• SQLAgent$SQLEXPRESS
• svcGenericHost
• SQLAgent$SYSTEM_BGC
• swi_filter
• SQLAgent$TPS
• swi_service
• SQLAgent$TPSAMA
• swi_update
• SQLAgent$VEEAMSQL2008R2
• swi_update_64
• SQLAgent$VEEAMSQL2012
• TmCCSF
• SQLBrowser
• tmlisten
• SQLSafeOLRService
• TrueKey
• SQLSERVERAGENT
• TrueKeyScheduler
• SQLTELEMETRY
• TrueKeyServiceHelper
• SQLTELEMETRY$ECWDB2
• WRSVC
• mssql$vim_sqlexp
• vapiendpoint
• It displays the following text after restarting the system:
  
• It displays a balloon tip containing the following text:
  

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• dat
• txt
• jpeg
• gif
• jpg
• png
• php
• cs
• cpp
• rar
• zip
• html
• htm
• xlsx
• xls
• avi
• mp4
• ppt
• doc
• docx
• sxi
• sxw
• odt
• hwp
• tar
• bz2
• mkv
• eml
• msg
• ost
• pst
• edb
• sql
• accdb
• mdb
• dbf
• odb
• myd
• php
• java
• cpp
• pas
• asm
• key
• pfx
• pem
• p12
• csr
• gpg
• aes
• vsd
• odg
• raw
• nef
• svg
• psd
• vmx
• vmdk
• vdi
• lay6
• sqlite3
• sqlitedb
• java
• class
• mpeg
• djvu
• tiff
• backup
• pdf
• cert
• docm
• xlsm
• dwg
• bak
• qbw
• nd
• tlg
• lgb
• pptx
• mov
• xdw
• ods
• wav
• mp3
• aiff
• flac
• m4a
• csv
• sql
• ora
• mdf
• ldf
• ndf
• dtsx
• rdl
• dim
• mrimg
• qbb
• rtf
• 7z

It avoids encrypting files with the following strings in their file name:

• autoexec.bat
• desktop.ini
• autorun.inf
• ntuser.dat
• NTUSER.DAT
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• thumbs.db
• bootmgr
• pagefile.sys
• config.sys
• ntuser.ini
• Builder_Log
• RSAKeys
• RESTORE_FILES_INFO
• .harditem
• Recycle.Bin
• mystartup.lnk
• Debug_Log.txt
• UserName={UserName}_MachineName={MachineName}_{System Volume Information}.txt

It avoids encrypting files with the following strings in their file path:

• C:\Program Files\
• C:\Program Files (x86)\
• :\Windows\
• perflogs
• internet explorer
• :\ProgramData\
• \AppData\
• msocache
• system volume information
• boot
• tor browser
• mozilla
• appdata
• google chrome
• application data

It appends the following extension to the file name of the encrypted files:

• .harditem

It leaves text files that serve as ransom notes containing the following text:

• %User Temp%\RESTORE_FILES_INFO.txt
• %Desktop%\RESTORE_FILES_INFO.txt
• {encrypted directory}\RESTORE_FILES_INFO.txt
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• EXE
• DLL