RANSOM_ANITSIRK.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses a user interface (UI).

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This Ransomware sets the system's desktop wallpaper to the following image:

Other Details

This Ransomware uses the following user interface:

It does the following:

• Can perform encryption routine on all different directories found at the same time
• Exits and deletes itself only after performing all the encryption routines
• Can hide itself
• Execute the following commands usind CMD
  /C net view

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• .crypt12
• .tmp
• .sep
• .tlb
• .tbl
• .tsp
• .cmd
• .ax
• .olb
• .com
• .acm
• .edb
• .ini
• .exe
• .386
• .73u
• .8xu
• .adm
• .adml
• .admx
• .ani
• .ann
• .aos
• .asec
• .bio
• .bk2
• .blf
• .bmk
• .bud
• .cab
• .cdmp
• .chs
• .ci
• .cnt
• .cpi
• .cpl
• .cpq
• .cur
• .desklink
• .deskthemepack
• .dev
• .diagcab
• .diagcfg
• .diagpkg
• .dimax
• .dit
• .drv
• .dss
• .dyc
• .ebd
• .efi
• .evtx
• .ffa
• .ffl
• .ffo
• .ffx
• .ftg
• .fts
• .gmmp
• .grl
• .group
• .grp
• .h1s
• .hdmp
• .hhc
• .hhk
• .hiv
• .hlp
• .hpj
• .hsh
• .htt
• .icl
• .icns
• .ico
• .idi
• .ifw
• .ime
• .img3
• .inf_loc
• .ins
• .ion
• .ipod
• .itemdata-ms
• .its
• .jpn
• .kbd
• .key
• .kor
• .library-ms
• .lnk
• .log1
• .log2
• .lpd
• .manifest
• .mapimail
• .mdmp
• .mi4
• .mlc
• .mobileconfig
• .msc
• .msp
• .msstyle
• .msstyles
• .mui
• .mui_cccd5ae0
• .mum
• .mydocs
• .nb0
• .nbh
• .nfo
• .nls
• .nt
• .ntfs
• .p7b
• .pck
• .pdr
• .pfx
• .pid
• .pk2
• .pol
• .ppd
• .prefpane
• .prf
• .printerexport
• .ps2
• .pwl
• .rc1
• .rc2
• .rco
• .reg
• .regtrans-ms
• .rfw
• .rmt
• .rs
• .ruf
• .savedsearch
• .sbn
• .scap
• .scf
• .scr
• .shd
• .shsh
• .swp
• .sys
• .tdz
• .tha
• .theme
• .trx_dll
• .uce
• .vga
• .vgd
• .vx_
• .vxd
• .webpnp
• .wer
• .wph
• .wpx
• .xfb
• .xrm-ms
• .dat
• .db
• .dll
• .dmp
• .ics
• .mod
• .mpa
• .msu
• .nomedia
• .ocx
• .ps1
• .rom
• .rtp
• .shs
• .spl
• .themepack
• .0
• .000
• .amlv
• .automaticdestinations-ms
• .bashrc
• .bash_history
• .bash_profile
• .bin
• .bk1
• .bom
• .c32
• .cat
• .cgz
• .chg
• .chk
• .cht
• .clb
• .cpr
• .crash
• .dlx
• .dvd
• .edj
• .elf
• .emerald
• .etl
• .evt
• .fid
• .fpbf
• .help
• .idx
• .ius
• .job
• .lfs
• .lockfile
• .lst
• .mbr
• .mem
• .metadata_never_index
• .panic
• .pat
• .pit
• .pnf
• .ppm
• .profile
• .prt
• .qvm
• .saver
• .sbf
• .schemas
• .sdb
• .searchconnector-ms
• .sfcache
• .so.0
• .sqm
• .str
• .wdf
• .wdgt
• .wgz
• .zone.identifier

It avoids encrypting files found in the following folders:

• D:\owncloud
• D:\gdrive

It appends the following extension to the file name of the encrypted files:

• ={Random 5 Digit Number}=hernansec@{BLOCKED}mail.ch.crypt12

It drops the following file(s) as ransom note:

• {Folder Path of Encrypted Files}\!!!!readme!!!.txt