Ransom.Win64.ABYSSLOCKER.YPEDR

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {malware directory}/work.log
• %User Temp%\readme.bmp → desktop wallpaper ransom

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• vssadmin.exe delete shadows /all /quiet
• wmic SHADOWCOPY DELETE
• bcdedit / set{ default } recoveryenabled No
• bcdedit / set{ default } bootstatuspolicy ignoreallfailures

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• DontWorryBeHappy

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\readme.bmp

Process Termination

This Ransomware terminates the following services if found on the affected system:

• MSSQLServerADHelper100
• MSSQL$ISARS
• MSSQL$MSFW
• SQLAgent$ISARS
• SQLAgent$MSFW
• SQLBrowser
• ReportServer$ISARS
• SQLWriter
• WinDefend
• mr2kserv
• MSExchangeADTopology
• MSExchangeFBA
• MSExchangeIS
• MSExchangeSA
• ShadowProtectSvc
• SPAdminV4
• SPTimerV4
• SPTraceV4
• SPUserCodeV4
• SPWriterV4
• SPSearch4
• IISADMIN
• firebirdguardiandefaultinstance
• ibmiasrw
• QBCFMonitorService
• QBVSS
• QBPOSDBServiceV12
• IBM Domino Server (CProgramFilesIBMDominodata)
• IBM Domino Diagnostics (CProgramFilesIBMDomino)
• Simply Accounting Database Connection Manager
• QuickBooksDB1
• QuickBooksDB2
• QuickBooksDB3
• QuickBooksDB4
• QuickBooksDB5wrapper
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoamSqlservr
• sqlagent
• sqladhlp
• Culserver
• RTVscansqlbrowser
• SQLADHLP
• QBIDPService
• IntuitQuickBooksFCS
• msmdsrv
• tomcat6
• zhudongfangyu
• vmware - usbarbitator64
• vmware - converter
• dbsrv12
• dbeng8
• MSSQL$MICROSOFT##WID
• MSSQL$VEEAMSQL2012
• SQLAgent$VEEAMSQL2012
• FishbowlMySQ
• MySQL57MSSQL$KAV_CS_ADMIN_KIT
• SQLAgent$KAV_CS_ADMIN_KIT
• msftesql - Exchange
• MSSQL$MICROSOFT##SSEE
• MSSQL$SBSMONITORING
• MSSQL$SHAREPOINT
• MSSQLFDLauncher$SBSMONITORING
• MSSQLFDLauncher$SHAREPOINT
• SQLAgent$SBSMONITORING
• SQLAgent$SHAREPOINT
• QBFCService
• YooBackup
• YooIT
• vsssqlsvc$
• MSSQL
• MSSQL$
• memtas
• mepocs
• sophos
• veeam
• backup
• bedbg
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• MVArmorMVarmor64
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• AcronisAgent
• ARSM
• AcrSch2Svc
• CASAD2DWebSvc
• CAARCUpdateSvc
• WSBExchange
• MSExchange
• MSExchange$GxVss
• GxBlr
• GxFWD
• GxCVD
• GxCIMgr

It terminates the following processes if found running in the affected system's memory:

• 360doctor.exe
• 360se.exe
• ADExplorer.exe
• ADExplorer64.exe
• ADExplorer64a.exe
• Adobe CEF.exe
• Adobe Desktop Service.exe
• AdobeCollabSync.exe
• AdobeIPCBroker.exe
• AutodeskDesktopApp.exe
• Autoruns.exe
• Autoruns64.exe
• Autoruns64a.exe
• Autorunsc.exe
• Autorunsc64.exe
• Autorunsc64a.exe
• AvastUI.exe
• BrCcUxSys.exe
• BrCtrlCntr.exe
• CNTAoSMgr.exe
• CagService.exe
• CoreSync.exe
• Creative Cloud.exe
• Culture.exe
• Defwatch.exe
• DellSystemDetect.exe
• EnterpriseClient.exe
• GDscan.exe
• GWCtlSrv.exe
• GlassWire.exe
• Helper.exe
• InputPersonalization.exe
• MsDtSrvr.exe
• MsDtsSrvr.exe
• MsMpEng.exe
• ONENOTEM.exe
• PccNTMon.exe
• ProcessHacker.exe
• Procexp.exe
• Procexp64.exe
• QBDBMgr.exe
• QBDBMgrN.exe
• QBIDPService.exe
• QBW32.exe
• RAgui.exe
• RTVscan.exe
• Raccine.exe
• RaccineElevatedCfg.exe
• RaccineSettings.exe
• Raccine_x86.exe
• RdrCEF.exe
• ReportingServicesService.exe
• SQLAGENT.EXE
• Simply.SystemTrayIcon.exe
• SimplyConnectionManager.exe
• Sqlservr.exe
• Ssms.exe
• Sysmon.exe
• Sysmon64.exe
• SystemExplorer.exe
• SystemExplorerService.exe
• SystemExplorerService64.exe
• TMBMSRV.exe
• TeamViewer.exe
• TeamViewer_Service.exe
• TitanV, Ssms.exe
• TmCCSF.exe
• TmListen.exe
• TmPfw.exe
• TmProxy.exe
• Totalcmd.exe
• Totalcmd64.exe
• VeeamDeploymentSvc.exe
• WRSA.exe
• WireShark.exe
• ZhuDongFangYu.exe
• acwebbrowser.exe
• agntsvc.exe
• avp.exe
• avz.exe
• axlbridge.exe
• bedbh.exe
• benetns.exe
• bengien.exe
• beserver.exe
• dbeng50.exe
• dbsnmp.exe
• dumpcap.exe
• egui.exe
• encsvc.exe
• excel.exe
• fbguard.exe
• fbserver.exe
• fdhost.exe
• fdlauncher.exe
• firefox.exe
• httpd.exe
• infopath.exe
• isqlplussvc.exe
• j0gnjko1.exe
• java.exe
• msaccess.exe
• msftesql.exe
• msmdsrv.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• node.exe
• notepad++.exe
• notepad.exe
• ntrtscan.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• pg_ctl.exe
• postgres.exe
• powerpnt.exe
• procexp64a.exe
• procmon.exe
• procmon64.exe
• procmon64a.exe
• pvlsvr.exe
• qbupdate.exe
• raw_agent_svc.exe
• sam.exe
• sqbcoreservice.exe
• sql.exe
• sqlbrowser.exe
• sqlceip.exe
• sqlmangr.exe
• sqlservr.exe
• sqlwriter.exe
• steam.exe
• supervise.exe
• synctime.exe
• tbirdconfig.exe
• tcpview.exe
• tcpview64.exe
• tcpview64a.exe
• tdsskiller.exe
• thebat.exe
• thunderbird.exe
• tomcat6.exe
• tv_w32.exe
• tv_x64.exe
• visio.exe
• vsnapvss.exe
• vxmon.exe
• wdswfsafe.exe
• winword.exe
• wordpad.exe
• wsa_service.exe
• wxServer.exe
• wxServerView.exe
• xfssvccon.exe

Other Details

This Ransomware does the following:

• It empties the recycle bin of the affected system.
• Avoids encrypting the following network shares:
  • ADMIN$
  • IPC$

It accepts the following parameters:

• console → displays console
• filelog → drops the file work.log
• paths {path to encrypt} → encrypts a specified path
• shares → encrypts network shares

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• work.log
• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• !CryptoLockerDetectionDONT-DELETE!.jpg
• WhatHappened.txt

It avoids encrypting files found in the following folders:

• Boot
• Windows
• Windows.old
• $Windows.~bt
• $windows.~ws
• windows nt
• msbuild
• microsoft
• perflog
• microsoft.net
• microsoft shared
• common files
• windows defender
• windowspowershell
• windows security
• usoshared
• windowsapp
• windows journal
• windows photo viewer
• $Recycle.Bin
• All Users
• Program Files
• Program Files (x86)
• system volume information
• msocache
• Tor Browser
• Internet Explorer
• Google
• Opera
• Opera Software
• Mozilla
• Mozilla Firefox
• #recycle

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.Abyss

It drops the following file(s) as ransom note:

• {encrypted directory}/WhatHappened.txt
  

It avoids encrypting files with the following file extensions:

• .Abyss
• .386
• .cmd
• .ani
• .adv
• .msi
• .msp
• .com
• .nls
• .ocx
• .mpa
• .cpl
• .mod
• .hta
• .prf
• .rtp
• .rpd
• .bin
• .hlp
• .shs
• .drv
• .wpx
• .bat
• .rom
• .msc
• .spl
• .msu
• .ics
• .key
• .exe
• .dllv
• .lnk
• .icov
• .hlp
• .sys
• .drv
• .cur
• .idx
• .ini
• .reg
• .mp3
• .mp4
• .apk
• .ttf
• .otf
• .fon
• .fnt
• .dmp
• .tmp
• .pif
• .wav
• .wma
• .dmg
• .iso
• .app
• .ipa
• .xex
• .wad
• .msu
• .icns
• .lock
• .theme
• .diagcfg
• .blf
• .diagcab
• .diagpkg
• .msstyles
• .gadget
• .woff
• .part
• .sfcache
• .winmd