RANSOM_CRYSIS.TICOABB

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %Application Data%\{Malware Filename}.exe
• %System%\{Malware Filename}.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\syncronize_1G0RE8A
• Global\syncronize_1G0RE8U

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware name}.exe = "%System%\{Malware name}.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware Filename}.exe = "%Application Data%\{Malware Filename}.exe"

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %Start Menu%\{Malware filename}.exe

(Note: %Start Menu% is the Start Menu folder, where it usually is C:\Documents and Settings\{user name}\Start Menu on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following file(s) in the Windows Common Startup folder to enable its automatic execution at every system startup:

• %Program Data%\Microsoft\Windows\Start Menu\Programs\Startup\{Malware filename}.exe

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
%System%\Info.hta = "mshta.exe "%System%\Info.hta""

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
%Application Data%\Info.hta = "mshta.exe "%Application Data%\Info.hta""

Process Termination

This Ransomware terminates the following services if found on the affected system:

• FirebirdGuardianDefaultInstance
• FirebirdServerDefaultInstance
• sqlwriter
• mssqlserver
• sqlserveradhelper

It terminates the following processes if found running in the affected system's memory:

• 1c8.exe
• 1cv77.exe
• outlook.exe
• postgres.exe
• mysqld-nt.exe
• mysqld.exe
• sqlserver.exe

Other Details

This Ransomware does the following:

• It displays the currently active code page by executing the following command:
  cmd.exe /c mode con cp select=1251
• It deletes shadow copies by executing the following command:
  cmd.exe /c vssadmin delete shadows /all /quiet

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .1cd
• .3ds
• .3fr
• .3g2
• .3gp
• .7z
• .accda
• .accdb
• .accdc
• .accde
• .accdt
• .accdw
• .adb
• .adp
• .ai
• .ai3
• .ai4
• .ai5
• .ai6
• .ai7
• .ai8
• .anim
• .arw
• .as
• .asa
• .asc
• .ascx
• .asm
• .asmx
• .asp
• .aspx
• .asr
• .asx
• .avi
• .avs
• .backup
• .bak
• .bay
• .bd
• .bin
• .bmp
• .bz2
• .c
• .cdr
• .cer
• .cf
• .cfc
• .cfm
• .cfml
• .cfu
• .chm
• .cin
• .class
• .clx
• .config
• .cpp
• .cr2
• .crt
• .crw
• .cs
• .css
• .csv
• .cub
• .dae
• .dat
• .db
• .dbf
• .dbx
• .dc3
• .dcm
• .dcr
• .der
• .dib
• .dic
• .dif
• .divx
• .djvu
• .dng
• .doc
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .dpx
• .dqy
• .dsn
• .dt
• .dtd
• .dwg
• .dwt
• .dx
• .dxf
• .edml
• .efd
• .elf
• .emf
• .emz
• .epf
• .eps
• .epsf
• .epsp
• .erf
• .exr
• .f4v
• .fido
• .flm
• .flv
• .frm
• .fxg
• .geo
• .gif
• .grs
• .gz
• .h
• .hdr
• .hpp
• .hta
• .htc
• .htm
• .html
• .icb
• .ics
• .iff
• .inc
• .indd
• .ini
• .iqy
• .j2c
• .j2k
• .java
• .jp2
• .jpc
• .jpe
• .jpeg
• .jpf
• .jpg
• .jpx
• .js
• .jsf
• .json
• .jsp
• .kdc
• .kmz
• .kwm
• .lasso
• .lbi
• .lgf
• .lgp
• .log
• .m1v
• .m4a
• .m4v
• .max
• .md
• .mda
• .mdb
• .mde
• .mdf
• .mdw
• .mef
• .mft
• .mfw
• .mht
• .mhtml
• .mka
• .mkidx
• .mkv
• .mos
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mpv
• .mrw
• .msg
• .mxl
• .myd
• .myi
• .nef
• .nrw
• .obj
• .odb
• .odc
• .odm
• .odp
• .ods
• .oft
• .one
• .onepkg
• .onetoc2
• .opt
• .oqy
• .orf
• .p12
• .p7b
• .p7c
• .pam
• .pbm
• .pct
• .pcx
• .pdd
• .pdf
• .pdp
• .pef
• .pem
• .pff
• .pfm
• .pfx
• .pgm
• .php
• .php3
• .php4
• .php5
• .phtml
• .pict
• .pl
• .pls
• .pm
• .png
• .pnm
• .pot
• .potm
• .potx
• .ppa
• .ppam
• .ppm
• .pps
• .ppsm
• .ppt
• .pptm
• .pptx
• .prn
• .ps
• .psb
• .psd
• .pst
• .ptx
• .pub
• .pwm
• .pxr
• .py
• .qt
• .r3d
• .raf
• .rar
• .raw
• .rdf
• .rgbe
• .rle
• .rqy
• .rss
• .rtf
• .rw2
• .rwl
• .safe
• .sct
• .sdpx
• .shtm
• .shtml
• .slk
• .sln
• .sql
• .sr2
• .srf
• .srw
• .ssi
• .st
• .stm
• .svg
• .svgz
• .swf
• .tab
• .tar
• .tbb
• .tbi
• .tbk
• .tdi
• .tga
• .thmx
• .tif
• .tiff
• .tld
• .torrent
• .tpl
• .txt
• .u3d
• .udl
• .uxdc
• .vb
• .vbs
• .vcs
• .vda
• .vdr
• .vdw
• .vdx
• .vrp
• .vsd
• .vss
• .vst
• .vsw
• .vsx
• .vtm
• .vtml
• .vtx
• .wb2
• .wav
• .wbm
• .wbmp
• .wim
• .wmf
• .wml
• .wmv
• .wpd
• .wps
• .x3f
• .xl
• .xla
• .xlam
• .xlk
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xps
• .xsd
• .xsf
• .xsl
• .xslt
• .xsn
• .xtp
• .xtp2
• .xyze
• .xz
• .zip

It avoids encrypting files with the following strings in their file path:

• %Windows%
• boot.ini
• bootfont.bin
• ntldr
• ntdetect.com
• io.sys
• FILES ENCRYPTED.txt
• Info.hta
• {Malware Filename}.exe

It appends the following extension to the file name of the encrypted files:

• .id-{ID}.[sniper777@{BLOCKED}k.li].bip

It drops the following file(s) as ransom note:

• %Program Data%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
• %Application Data%\Info.hta
• %System%\Info.hta
• %Application Data%\Microsoft\Windows\Start Menu\Startup\Info.hta
• {Public User Desktop}\FILE ENCRYPTED.txt
• {All Drives}\FILES ENCRYPTED.txt
• %Desktop%\FILES ENCRYPTED.txt

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

NOTES:

This ransomware displays the following ransom notes after encrypting the target files: