Ransom.MSIL.WAREBAD.THLOFBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{8 random alphanumeric}.{3 random alphanumeric}.ps1 → ransomware configuration
• %User Temp%\{8 random alphanumeric}.{3 random alphanumeric}.psm1 → ransomware configuration

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following folders:

• C:\{current system date and time}

Information Theft

This Ransomware accepts the following parameters:

• -wait → delays execution
• -extract {filepath}
• -end
• -debug

It gathers the following data:

• Number of Processors

Other Details

This Ransomware does the following:

• It logs its activities through a console.
  
• It deletes itself after encryption.
• It creates a fake self-signed certificate and saved in the %User Temp% directory.
• It displays a pop-up warning with indication of file encryption.
  
• It works up the CPU by creating multiple threads to trigger ransomware infection CPU warning.

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• c:\Users

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.badware

It drops the following file(s) as ransom note:

• %Desktop%\Encrypted.txt