Ransom.Win64.HIVE.E

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Drive Letter}:\{8 random characters}.key
• {Encrypted Directory}\HOW_TO_DECRYPT.txt
• {Drive Letter}:\HOW_TO_DECRYPT.txt

It adds the following processes:

• "%System%\vssadmin.exe" delete shadows /all /quiet
• "%System%\notepad.exe" %System Root%\HOW_TO_DECRYPT.txt
• "%System%\wbem\WMIC.exe" shadowcopy delete
• "%System%\wbadmin.exe" delete systemstatebackup
• "%System%\wbadmin.exe" delete catalog-quiet
• "%System%\bcdedit.exe" /set {default} recoveryenabled No
• "%System%\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
• "%System%\wbadmin.exe" delete systemstatebackup -keepVersions:3

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• MsMpSvc
• kavsvc
• DrWebCom
• AntiVirService
• ZhuDongFangYu
• VMM
• Vmwp
• sql
• sap
• oracle
• mepocs
• memtas
• veeam
• backup
• sql
• vss
• msexchange
• mysql
• sophos
• Exchange
• PDVFSService
• BackupExec
• GxBlr
• GxVss
• GxClMgrS
• GxCVD
• GxCIMgr
• GXMMM
• GxVssHWProv
• GxFWD
• SAP
• QBCFMonitorService
• QBDBMgrN
• QBIDPService
• AcronisAgent
• Veeam
• MVArmor
• VSNAPVSS
• AcrSch2Svc
• WinDefend

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• xfssvccon
• *sql*
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• CagService
• QBIDPService
• QBDBMgrN
• QBCFMonitorService
• SAP
• TeamViewer_Service
• TeamViewer
• tv_w32
• tv_x64
• CVMountd
• cvd
• cvfwd
• CVODS
• saphostexec
• saposcol
• sapstartsrv
• avagent
• avscc
• DellSystemDetect
• EnterpriseClient
• Veeam

Other Details

This Ransomware does the following:

• It avoids encrypting files with file size below 4000 bytes.
• It encrypts files found in the following drive types:
  • Fixed drive
  • Removable drive
  • Network drive

It accepts the following parameters:

• -u {login}:{password}

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• bootmgr
• autorun.inf
• thumbs.db
• ntuser.dat

It avoids encrypting files found in the following folders:

• Windows
• Program Files
• Program Files (x86)
• Boot
• PerfLogs
• $Recycle.Bin
• System Volume Information
• Trend Micro

It appends the following extension to the file name of the encrypted files:

• {8 random characters}_{11 random characters}
• {8 random characters}-{11 random characters}
  • If extensions are the following:
  • .sql
  • .txt
  • .rtf
  • .xml
  • .pdf
  • .xls
  • .xlsx
  • .doc
  • .docx
  • .vmdk

It drops the following file(s) as ransom note:

• {Encrypted Folder}\HOW_TO_DECRYPT.txt
• {Drive Letter}:\HOW_TO_DECRYPT.txt
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .sys
• .msi
• .lnk
• .ini
• .url