RANSOM_CHIP.A

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It retrieves specific information from the affected system.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible. It deletes itself after execution.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• {fixed and removable disk drive letter}\{6 random characters} (dummy file to check if the drive is writable, file is deleted after checking)
• {folder containing encrypted files}\CHIP_FILES.txt (ransom note)

It drops and executes the following files:

• bye.bat (terminates the malware process, then deletes the malware file and this batch file afterwards)

Information Theft

This Trojan retrieves the following information from the affected system:

• Windows Version and Processor Type
• Drive Letters of Available and Writable Disk Drives
• Computer Name
• Windows Directory
• External IP Address

Other Details

This Trojan connects to the following URL(s) to get the affected system's IP address:

• checkip.dyndns.org

It connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.82.8/index.php

It encrypts files with the following extensions:

• 001
• 2015
• 3ds
• 3fr
• 500
• 7z
• accdb
• accdb
• ai
• amj
• apk
• arch00
• arw
• asc
• asset
• avi
• bar
• bay
• bc6
• bc7
• big
• bik
• bkf
• bkp
• blob
• bpn
• bsa
• cab
• cas
• cdr
• cdt
• cer
• cfp
• cfr
• cr2
• crt
• crw
• css
• csv
• d3dbsp
• dac
• das
• dazip
• db
• db0
• dba
• dbf
• dcr
• der
• desc
• dmp
• dng
• doc
• docm
• docx
• dwg
• dwg
• dxg
• ebc
• ebq
• epb
• epk
• eps
• erf
• esm
• ets
• fdb
• ff
• flv
• forge
• fos
• fpk
• fsh
• gdb
• gdb
• gho
• gpc
• hkdb
• hkx
• hplg
• hvpl
• ibank
• icxs
• IIF
• indd
• ipt
• itdb
• itf
• itl
• itm
• iwd
• iwi
• jpe
• jpeg
• jpg
• js
• kdb
• kdc
• kf
• layout
• lbf
• lgb
• litemod
• lrf
• ltx
• lvl
• m2
• m3u
• m4a
• map
• max
• mcmeta
• mdb
• mdb
• mdbackup
• mddata
• mdf
• mef
• menu
• mlx
• mny
• mov
• mp4
• mpqge
• mrwref
• myd
• mye
• myox
• mysql
• ncf
• nd
• nrw
• ntl
• odb
• odc
• odm
• odp
• ods
• odt
• ofx
• orf
• p12
• p7b
• p7c
• pak
• pdd
• pdf
• pef
• pem
• pfx
• pkpass
• png
• ppt
• pptm
• pptx
• psb
• psd
• psd
• psk
• pst
• ptb
• ptb
• ptx
• py
• qba
• qbatlg
• qbb
• qbk
• qbm
• qbmb
• qbo
• qbw
• qbx
• qby
• qdf
• qdf
• qfx
• qic
• qif
• qsd
• qtx
• r3d
• raf
• rar
• raw
• rb
• re4
• rgss3a
• rim
• rofl
• rtf
• rw2
• rwl
• sai
• saj
• sav
• sb
• sdb
• sdb
• sid
• sidd
• sidn
• sie
• sis
• slm
• snx
• sql
• sr2
• srf
• srw
• sum
• svg
• syncdb
• t11
• t12
• t12
• t13
• t13
• t14
• t15
• tax
• tax
• tax2013
• tax2014
• tax2015
• tax2016
• tlg
• tor
• tt14
• tt15
• tt16
• txf
• txt
• upk
• vbk
• vcf
• vdf
• vfs0
• vmx
• vpk
• vpp_pc
• vtf
• w3x
• wallet
• wb2
• wma
• wmo
• wmv
• wotreplay
• wpd
• wps
• x3f
• xf
• xlk
• xls
• xlsb
• xlsm
• xlsx
• xml
• xxx
• zip
• ztmp

It renames encrypted files using the following names:

• {original filename and extension}.CHIP

It does the following:

• This ransomware deletes all shadow copies by executing the following command:
  vssadmin delete shadows /all /quiet
• It prevents encrypting files containing any of the strings in its full path name:
  • C:\WINDOWS\
  • $Recycle.bin
  • $RECYCLE.BIN
  • %PROGRAMFILE\
  • C:\Documents and Settings\All Users\
  • C:\Program Files\
  • microsoft
  • RECYCLER
• It encrypts files in fixed, removable, RAM disk drives, and network shares.

However, as of this writing, the said sites are inaccessible.

It deletes itself after execution.

NOTES:

The ransom note CHIP_FILES.txt contains the following: