Ransom.Win32.STRIKED.B

This Ransomware arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals email account information. It steals system information.

It connects to certain websites to send and receive information. It is capable of encrypting files in the affected system.

Arrival Details

This Ransomware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Encrypted File Directory}\README_DECRYPT.html

Information Theft

This Ransomware steals email account information.

It steals system information.

Other Details

This Ransomware connects to the following website to send and receive information:

• http://{BLOCKED}.{BLOCKED}.83.47/genree.php
• http://{BLOCKED}.{BLOCKED}.231.201:3129
• http://{BLOCKED}.{BLOCKED}.146.153:8080
• http://{BLOCKED}.{BLOCKED}.246.144:8080
• http://{BLOCKED}.{BLOCKED}.132.75:8080
• http://{BLOCKED}.{BLOCKED}.216.134:80
• http://{BLOCKED}.{BLOCKED}.216.135:80
• http://{BLOCKED}.{BLOCKED}.171.51:800
• http://{BLOCKED}.{BLOCKED}.136.34:80
• http://{BLOCKED}.{BLOCKED}.136.34:8080
• http://{BLOCKED}.{BLOCKED}.136.34:81
• http://{BLOCKED}.{BLOCKED}.17.132:8081
• http://{BLOCKED}.{BLOCKED}.9.136:80
• http://{BLOCKED}.{BLOCKED}.94.144:8080
• http://{BLOCKED}.{BLOCKED}.228.61:8080
• http://{BLOCKED}.{BLOCKED}.88.120:53281
• http://{BLOCKED}.{BLOCKED}.242.94:80
• http://{BLOCKED}.{BLOCKED}.76.30:80
• http://{BLOCKED}.{BLOCKED}.76.30:8090
• http://{BLOCKED}.{BLOCKED}.117.243:8080
• http://{BLOCKED}.{BLOCKED}.83.214:8080
• http://{BLOCKED}.{BLOCKED}.30.241:80
• http://{BLOCKED}.{BLOCKED}.151.90:8080
• http://{BLOCKED}.{BLOCKED}.19.130:8080
• http://{BLOCKED}.{BLOCKED}.238.10:3128
• http://{BLOCKED}.{BLOCKED}.238.10:8080
• http://{BLOCKED}.{BLOCKED}.51.165:8080
• http://{BLOCKED}.{BLOCKED}.246.26:3128
• http://{BLOCKED}.{BLOCKED}.0.244:8080
• http://{BLOCKED}.{BLOCKED}.0.245:80
• http://{BLOCKED}.{BLOCKED}.234.43:8080
• http://{BLOCKED}.{BLOCKED}.61.29:3128
• http://{BLOCKED}.{BLOCKED}.61.29:80
• http://{BLOCKED}.{BLOCKED}.61.29:8080
• http://{BLOCKED}.{BLOCKED}.61.29:8799
• http://{BLOCKED}.{BLOCKED}.161.28:53281
• http://{BLOCKED}.{BLOCKED}.94.97:8081
• http://{BLOCKED}.{BLOCKED}.127.35:8888
• http://{BLOCKED}.{BLOCKED}.145.9:53281
• http://{BLOCKED}.{BLOCKED}.226.67:3128
• http://{BLOCKED}.{BLOCKED}.117.248:53281
• http://{BLOCKED}.{BLOCKED}.228.244:80
• http://{BLOCKED}.{BLOCKED}.223.39:8080
• http://{BLOCKED}.{BLOCKED}.86.134:8081
• http://{BLOCKED}.{BLOCKED}.251.27:80
• http://{BLOCKED}.{BLOCKED}.251.70:80
• http://{BLOCKED}.{BLOCKED}.124.10:8080
• http://{BLOCKED}.{BLOCKED}.57.139:8080
• http://{BLOCKED}.{BLOCKED}.16.250:3128
• http://{BLOCKED}.{BLOCKED}.191.85:8888
• http://{BLOCKED}.{BLOCKED}.135.184:8080

It does the following:

• Checks and terminates the running process if any of the following modules are found in its memory:
  • mysql
  • apache
  • mysqld
  • oracle
  • tomcat
  • java
  • backup
  • vnc
  • radmin
  • ftp
  • teamviewer
  • xampp
  • Taskmgr
• Avoids encrypting files in the following directories:
  • $WINDOWS.~BT
  • Program Files
  • ProgramData
  • Windows Directory
• It adds a ransom note with the following content:
  

It is capable of encrypting files in the affected system.

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

• #jekabro@mortalkombat.top#id#{ID Number}