Ransom.Win64.SNATCH.YADBA.enc

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware file path}\{random characters1}.bat → used to query for services, is deleted afterwards
• {Malware file path}\{random characters2}.bat → used to delete shadow copies, is deleted afterwards
• {Malware file path}\{random characters3}.bat → used to register itself as a service, is deleted afterwards
• {Malware file path}\{random characters4}.bat → used to enable safe mode, is deleted afterwards
• {Malware file path}\{random characters5}.bat → used to check if safe mode is enabled, is deleted afterwards
• {Malware file path}\{random characters6}.bat → used to delete itself, is deleted afterwards
• {Malware file path}\{random characters7}.bat → used to reboot the system, is deleted afterwards

It adds the following processes:

• If the file name contains the string "safe":
  • sc create YfFomRpcSsWBSi binPath={Malware file path}\{Malware file name}" DisaplayName="Provides Remote Procedure Call features via remotely accessible Named Pipes tJuyRbOi" start=auto
• If the file name does not contain the string "safe":
  • SC QUERY → query for services
  • FINDSTR SERVICE_NAME → collect service names
  • net stop YfFomRpcSsWBSi → terminates existing service of itself
  • vssadmin delete shadows /all /quiet → delete shadow copies
  • cmd /c ping 127.0.0.1
  • del /f {Malware file name} → delete itself
• REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control" /v SystemStartOptions → query for system start options if set to safeboot
• If the system start options is not set to safeboot:
  • REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS" /VE /T REG_SZ /F /D Service
  • REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\YfFomRpcSsWBSi" /VE /T REG_SZ /F /D Service → enables the service in safe mode
  • bcdedit /set {current} safeboot minimal → forces the Windows to restart in safe mode
  • %Windows%\Sysnative\bcdedit.exe /set {current} safeboot minimal
  • %Windows%\SysWOW64\bcdedit.exe /set {current} safeboot minimal
  • %System%\bcdedit.exe /set {current} safeboot minimal
  • %Windows%\Sysnative\bcdedit.exe → check if safe mode is enabled
  • shutdown /r /f /t 00 → reboot the system
  • %Windows%\SysWOW64\shutdown.exe /r /f /t 00
  • %System%\shutdown.exe /r /f /t 00
  • %Windows%\Sysnative\shutdown.exe /r /f /t 00

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following entries to allow itself to run on safe mode:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
VSS
{Default} = Service → if the system start options is not set to safeboot

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal\
YfFomRpcSsWBSi
{Default} = Service → if the system start options is not set to safeboot

It starts the following services:

• Service Name: YfFomRpcSsWBSi
  Display Name: Provides Remote Procedure Call features via remotely accessible Named Pipes tJuyRbOi
  Image Path: {Malware File Path}\{Malware file name}

Process Termination

This Ransomware terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• SQL
• BACKUP
• TEAM
• EXCHANGE

Other Details

This Ransomware requires the existence of the following files to properly run:

• Qt5Core.dll
• Qt5Gui.dll
• Qt5Network.dll
• Qt5Qml.dll
• Qt5Widgets.dll
• Qt5Xml.dll
• SafeDataTransform.exe → used to load the shellcode and decrypt the ransomware
• apimswincoreconsolel110.dll
• apimswincoreconsolel120.dll
• apimswincoredatetimel110.dll
• apimswincoredebugl110.dll
• apimswincoreerrorhandlingl110.dll
• apimswincorefilel110.dll
• apimswincorefilel120.dll
• apimswincorefilel210.dll
• apimswincorehandlel110.dll
• apimswincoreheapl110.dll
• apimswincoreinterlockedl110.dll
• apimswincorelibraryloaderl110.dll
• apimswincorelocalizationl120.dll
• apimswincorememoryl110.dll
• apimswincorenamedpipel110.dll
• apimswincoreprocessenvironmentl110.dll
• apimswincoreprocessthreadsl110.dll
• apimswincoreprocessthreadsl111.dll
• apimswincoreprofilel110.dll
• apimswincorertlsupportl110.dll
• apimswincorestringl110.dll
• apimswincoresynchl110.dll
• apimswincoresynchl120.dll
• apimswincoresysinfol110.dll
• apimswincoretimezonel110.dll
• apimswincoreutill110.dll
• apimswincrtconiol110.dll
• apimswincrtconvertl110.dll
• apimswincrtenvironmentl110.dll
• apimswincrtfilesysteml110.dll
• apimswincrtheapl110.dll
• apimswincrtlocalel110.dll
• apimswincrtmathl110.dll
• apimswincrtmultibytel110.dll
• apimswincrtprivatel110.dll
• apimswincrtprocessl110.dll
• apimswincrtruntimel110.dll
• apimswincrtstdiol110.dll
• apimswincrtstringl110.dll
• apimswincrttimel110.dll
• apimswincrtutilityl110.dll
• concrt140.dll
• howdoi.txt
• libmap64.dll
• libxl.dll
• msvcp140.dll
• msvcp140_1.dll
• msvcp140_2.dll
• msvcp140_atomic_wait.dll
• msvcp140_codecvt_ids.dll
• other_licenses.txt
• ucrtbase.dll
• ulha64.dll
• unins000.dat
• vccorlib140.dll
• vcruntime140.dll
• vcruntime140_1.dll

It does the following:

• It affects all existing drives from A: to Z:.
• It checks if the file name contains the string "safe".
  • If yes, it registers itself as a service.
  • If no,
    • It terminates existing service of itself.
    • It deletes shadow copies.
    • It executes and deletes itself.
• It checks if the system start options is set to safeboot.
  • If yes, it starts the service.
  • If no,
    • It registers itself as a service and enables it in safe mode.
    • It forces the Windows to restart in safe mode.
    • It reboots the system to perform its malicious routine.

Ransomware Routine

This Ransomware avoids encrypting files found in the following folders:

• Directories located in %System Root%:
  • windows
  • perflogs
  • recovery
  • $recycle.bin
  • system volume information
• Directories located in %Program Files%:
  • windows
  • perflogs
  • recovery
  • $recycle.bin
  • system volume information
  • common files
  • dvd maker
  • internet explorer
  • msbuild
  • microsoft games
  • mozilla firefox
  • reference assemblies
  • tap-windows
  • windows defender
  • windows journal
  • windows mail
  • windows media player
  • windows nt
  • windows photo viewer
  • windows sidebar
  • windows portable devices
  • microsoft.net
  • mozilla maintenance service
  • uninstall information
• Directories located in %ProgramData%:
  • microsoft
  • start menu
  • templates
  • favorites

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It drops the following file(s) as ransom note:

• {Encrypted Directory}:\HOW TO RESTORE YOUR FILES.TXT
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• sys
• ini
• bat
• lnk
• rdapdylvb