Ransom.Win64.CRYTOX.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Windows%\Utox.exe → peer-to-peer application used to communicate with attackers
• %Windows%\rwjfk.bat → deletes shadow copies and deletes all logged tokens of wevtutil.exe
• %Windows%\pghdn.txt → deletes shadow copies

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following processes:

• vssadmin delete shadows /all /quiet → Delete shadow copies
• explorer.exe
• %Windows%\rwjfk.bat
• %Windows%\pghdn.txt

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• itkd{4 random characters}

It injects codes into the following process(es):

• svchost.exe
• explorer.exe

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
open = %System Roo%:\ReadMe.hta

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_CLASSES_ROOT\.waiting\shell\
open\command
{Default} = %System%\mshta.exe "%System Root%:\ReadMe.hta"

HKEY_CLASSES_ROOT\.waiting\shell\
open\command
en = {HEX VALUES}

HKEY_CLASSES_ROOT\.waiting\shell\
open\command
n = {HEX VALUES}

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• Any processes not included in the list below:
  • DLLHOST.EXE
  • CMD.EXE
  • IEXPLORE.EXE
  • CSRSS.EXE
  • SPOOLSV.EXE
  • RUNDLL32.EXE
  • WININIT.EXE
  • LOGONUI.EXE
  • MSHTA.EXE
  • BFSVC.EXE
  • MSTSC.EXE
  • WEVTUTIL.EXE
  • LSASS.EXE
  • RDPCLIP.EXE
  • TASKLIST.EXE
  • SEARCHINDEXER.EXE
  • CONHOST.EXE
  • SIHOST.EXE
  • VSSADMIN.EXE
  • WEBSERVICES.EXE
  • SVCHOST.EXE
  • FONTDRVHOST.EXE
  • TASKHOSTW.EXE
  • WUDFHOST.EXE
  • MSDTS.EXE
  • CTFMON.EXE
  • SERVICES.EXE
  • EXPLORER.EXE
  • DISKSHADOW.EXE
  • SMSS.EXE
  • WMIPRVSE.EXE
  • ISSCH.EXE
  • SEARCHUI.EXE
  • ADAPTERTROUBLESHOOTER.EXE
  • TASKMGR.EXE
  • SYSTEM
  • [SYSTEM PROCESS]
  • PROCESSHACKER.EXE
  • DFSSVC.EXE
  • WINLOGON.EXE
  • FIND.EXE

Other Details

This Ransomware does the following:

• It encrypts the files in the following drives:
  • Fixed Drives
  • Network Drives
  • Removable Drives

It deletes itself after execution.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• ReadMe.hta

It avoids encrypting files found in the following folders:

• %Windows%

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It appends the following extension to the file name of the encrypted files:

• {Random Characters}.waiting

It drops the following file(s) as ransom note:

• {Encrypted Directory}\ReadMe.hta
  

It avoids encrypting files with the following file extensions:

• .waiting