Ransom.Win64.JKWERLO.LNS.go

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• powershell “vssadmin delete shadows /all /quiet”
• powershell “netsh advfirewall set allprofiles state off”
• %Program Files%\Windows Defender\MpCmdRun.exe -RemoveDefinitions -All
• powershell “reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f”
• powershell “reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f”
• powershell “bcdedit /set recoveryenabled No”
• powershell "Get-NetNeighbor | Select-Object IPAddress"
• powershell “del -Path %Downloads%\doc -Recurse -Force”
• powershell “Get-ChildItem -Path ‘%Downloads%’ -Filter *.lnk | Remove-Item -Force”
• powershell “Get-ChildItem -Path ‘%Downloads%’ -Filter *.zip | Remove-Item -Force”
• powershell “Get-ChildItem -Path ‘%Downloads%’ -Filter *.html | Remove-Item -Force”

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• via taskkill /F /IM:
  • sql.exe
  • oracle.exe
  • excel.exe
  • infopath.exe
  • msaccess.exe
  • onenote.exe
  • outlook.exe
  • powerpnt.exe
  • thunderbird.exe
  • tbirdconfig.exe
  • visio.exe
  • winword.exe
  • wordpad.exe
  • notepad.exe

Other Details

This Ransomware does the following:

• It gathers information about network neighbors on the local computer.
• It disables the automatic recovery feature in Windows by modifying the Boot Configuration Data (BCD).
• It disables the Windows Firewall for all network profiles.
• It then deletes its dropped files from the system.

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• %Desktop%
• %Documents%
• %Downloads%
• %Pictures%

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following file(s) as ransom note:

• {Encrypted Directory}/IMPORTANT_README.TXT