Ransom_ICRYPT.THAABBAH

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system and executes them:

• {Legitimate file path}/{malware file}.exe <- it modify the legitimate application to be its drop copy.

Other Details

This Ransomware does the following:

• Execute the following command to take ownership of a file:
  • %System%\takeown.exe /F %System%\{legitimate file}.exe <- if run as admin
  • %System%\icacls.exe %System%\{malware file}.exe /reset <- file name of the legitimate file
• After encrypting file:
  • It restore/ delete the drop copy of itself and back to original legitimate file.
• It deletes itself after execution.
• Executes the following commands to gather information:
  • %System%\arp.exe -a
  • %System%\nslookup.exe 192.168.56.1
  • %System%\nslookup.exe 192.168.56.201
  • %System%\nslookup.exe 192.168.56.255
  • %System%\nslookup.exe 224.0.0.22
  • %System%\nslookup.exe 224.0.0.252
  • %System%\nslookup.exe 239.255.255.250
  • %System%\net.exe view igmp.mcast.net
• Creates a process to execute the following command to delete the shadow copy of the infected system:
  • %System%\vssadmin.exe Delete Shadows /All /Quiet
• Executes the following commands:
  • %Application Data%\WXZuMM9D:bin %User Temp%\{Malware Filename}.exe
  • %System%\diskshadow.exe /s %User Temp%\{random character}.tmp <- script file containing diskshadow commands
  • %System%\diskshadow.exe /s %Windows%\TEMP\{random character}.tmp <- script file containing diskshadow commands

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• {All Drive}:\
• %Desktop%
• %Favorites%
• %Program Files%
• %ProgramData%
• %User Profile%
• %User Profile%\Documents
• %User Profile%\Downloads
• %User Profile%\Music
• %User Profile%\Pictures
• %User Profile%\Videos
• %User Profile%\Links
• %User Profile%\Contacts
• %User Profile%\Searches

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista, 7, and 8.. %Favorites% is the current user's Favorites folder, which is usually C:\Documents and Settings\{user name}\Favorites on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Favorites on Windows Vista, 7, and 8.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista, 7, and 8.)

It avoids encrypting files with the following strings in their file name:

• .exe
• .dll

It avoids encrypting files with the following strings in their file path:

• Windows
• Microsoft

It appends the following extension to the file name of the encrypted files:

• .kraussmfz

It drops the following file(s) as ransom note:

• {encrypted file}.{file extension}.kraussmfz_readme