RANSOM_HAKUNA.RA

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It is capable of encrypting files in the affected system.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {folder of encrypted files}\Recovers files yako.html ← ransom note

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Timon and Pumbaa = “{malware path and name} supermetroidrules”

Other Details

This Ransomware renames encrypted files using the following names:

• {original file name}.HakunaMatata

It does the following:

• It encrypts files in all available drives and network shares.
• It stops certain services by executing the following commands:
  • WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE
  • WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL ChangeStartMode 'Disabled'
  • WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE
  • net stop MSSQLSERVER
  • net stop postgresql-9.0
  • net stop FirebirdServerDefaultInstance
  • net stop MSExchangeAB
  • net stop MSExchangeADTopology
  • net stop MSExchangeAntispamUpdate
  • net stop MSExchangeEdgeSync
  • net stop MSExchangeFBA
  • net stop MSExchangeIS
  • net stop MSExchangeImap4
  • net stop MSExchangeMailSubmission
  • net stop MSExchangeMailboxAssistants
  • net stop MSExchangeMailboxReplication
  • net stop MSExchangeMonitoring
  • net stop MSExchangePop3
  • net stop MSExchangeProtectedServiceHost
  • net stop MSExchangeRPC
  • net stop MSExchangeRepl
  • net stop MSExchangeSA
  • net stop MSExchangeSearch
  • net stop MSExchangeServiceHost
  • net stop MSExchangeThrottling
  • net stop MSExchangeTransport
  • net stop MSExchangeTransportLogSearch
  • net stop MSSQL$SQLEXPRESS
  • net stop wsbexchange
  • sc config FirebirdServerDefaultInstance start= disabled
  • sc config MSExchangeAB start= disabled
  • sc config MSExchangeADTopology start= disabled
  • sc config MSExchangeAntispamUpdate start= disabled
  • sc config MSExchangeEdgeSync start= disabled
  • sc config MSExchangeFBA start= disabled
  • sc config MSExchangeFDS start= disabled
  • sc config MSExchangeIS start= disabled
  • sc config MSExchangeImap4 start= disabled
  • sc config MSExchangeMailSubmission start= disabled
  • sc config MSExchangeMailboxAssistants start= disabled
  • sc config MSExchangeMailboxReplication start= disabled
  • sc config MSExchangeMonitoring start= disabled
  • sc config MSExchangePop3 start= disabled
  • sc config MSExchangeProtectedServiceHost start= disabled
  • sc config MSExchangeRPC start= disabled
  • sc config MSExchangeRepl start= disabled
  • sc config MSExchangeSA start= disabled
  • sc config MSExchangeSearch start= disabled
  • sc config MSExchangeServiceHost start= disabled
  • sc config MSExchangeThrottling start= disabled
  • sc config MSExchangeTransport start= disabled
  • sc config MSExchangeTransportLogSearch start= disabled
  • sc config MSSQL$SQLEXPRESS start= disabled
  • sc config MSSQLSERVER start= disabled
  • sc config postgresql-9.0 start= disabled
  • sc config wsbexchange start= disabled
• It delets shadow copies by executing the following commands:
  • vssadmin.exe Delete Shadows /All /Quiet
• It terminates the following process by executing the following commands:
  • taskkill /IM fb_inet_server.exe /F
  • taskkill /IM pg_ctl.exe /F
  • taskkill /IM sqlservr.exe /F
• It executes the following command to clear events logs:
  • wevtutil cl Application
  • wevtutil cl security
  • wevtutil cl setup
  • wevtutil cl system
• It avoids encrypting files with the following strings:
  • *.exe
  • *.dll
  • *.lnk
  • *.bat
  • *.ini
  • *.msi
  • *.scf
  • *pagefile.sys*
  • *NTUSER.DAT*
  • *Atheros*
  • *Realtek*
  • *bootmgr*
  • *boot*
  • *boot*
  • *CONFIG.SYS*
  • *IO.SYS*
  • *MSDOS.SYS*
  • *NTDETECT.COM*
  • *ntldr*
  • *chrome*
  • *opera*
  • *firefox*
  • *AppData*
  • *\winrar\*
  • *\Internet Explorer\*
  • *\java\*
  • *\TeamViewer\*
  • *\windows\*
  • *\ESET\*
  • *\AVG\*
  • *\AVIRA\*
  • *\AVAST Software\*

It is capable of encrypting files in the affected system.

NOTES:

The dropped ransom note contains the following: