Ransom.Win32.VHDLOCKER.C

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\_MEI{Random number}\1.exe.manifest
• %User Temp%\_MEI{Random number}\Microsoft.VC90.CRT.manifest
• %User Temp%\_MEI{Random number}\_ctypes.pyd
• %User Temp%\_MEI{Random number}\_hashlib.pyd
• %User Temp%\_MEI{Random number}\_socket.pyd
• %User Temp%\_MEI{Random number}\_ssl.pyd
• %User Temp%\_MEI{Random number}\bz2.pyd
• %User Temp%\_MEI{Random number}\msvcm90.dll
• %User Temp%\_MEI{Random number}\msvcp90.dll
• %User Temp%\_MEI{Random number}\msvcr90.dll
• %User Temp%\_MEI{Random number}\python27.dll
• %User Temp%\_MEI{Random number}\select.pyd
• %User Temp%\_MEI{Random number}\unicodedata.pyd
• %User Temp%\_MEI{Random number}\Include\pyconfig.h
• %User Temp%\_MEI{Random number}\certifi\cacert.pem
• %User Temp%\{Random character}
• %User Temp%\tmp{Random number}.dll
• %System%\Chop.BAIP
• %Desktop%\HowToDecrypt.txt
• {Drive letter}:\HowToDecrypt.txt

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "{Malware file path and name}"
• sc stop "Microsoft Exchange Active Directory Toplogy"
• sc stop "Microsoft Exchange Anti-spam Update"
• sc stop "Microsoft Exchange Compliance Audit"
• sc stop "Microsoft Exchange Compliance Service"
• sc stop "Microsoft Exchange DAG Management"
• sc stop "Microsoft Exchange Diagnostics"
• sc stop "Microsoft Exchange EdgeSync"
• sc stop "Microsoft Exchange Frontend Transport"
• sc stop "Microsoft Exchange Health Manager"
• sc stop "Microsoft Exchange Health Manager Recovery"
• sc stop "Microsoft Exchange IMAP4"
• sc stop "Microsoft Exchange IMAP4 Backend"
• sc stop "Microsoft Exchange Information Store"
• sc stop "Microsoft Exchange Mailbox Assistants"
• sc stop "Microsoft Exchange Mailbox Replication"
• sc stop "Microsoft Exchange Mailbox Transport Delivery"
• sc stop "Microsoft Exchange POP3"
• sc stop "Microsoft Exchange POP3 Backend"
• sc stop "SQL Server Agent (TESTINSTANCE)"
• sc stop "SQL Server (TESTINSTANCE)"

Other Details

This Ransomware connects to the following possibly malicious URL:

• http://mnmski.{BLOCKED}4.com:443

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

• .vhd