Ransom.Win64.AKIRA.THDBFBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"

Information Theft

This Ransomware accepts the following parameters:

• -p, --encryption_path → used for specifying the directory to be encrypted.
• -l → used for displaying a list of logical drives mounted in the system
• -s, --share_files → used for encrypting shared folders
• -n, --encryption_percent → enables the user to specify the percentage of data in each file that should be encrypted. The default setting is 50.
• -remote -> used for preventing the Windows restart manager from being triggered if the ransomware fails to open files, assuming these files are located on a remote host such as a shared folder. This is used in conjunction with the “--share_files” parameter.

Other Details

This Ransomware does the following:

• It uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .4dd
• .4dl
• .abcddb
• .abs
• .abx
• .accdb
• .accdc
• .accde
• .accdr
• .accdt
• .accdw
• .accft
• .adb
• .ade
• .adf
• .adn
• .adp
• .alf
• .arc
• .ask
• .avdx
• .avhd
• .bdf
• .bin
• .btr
• .cat
• .cdb
• .ckp
• .cma
• .cpd
• .dacpac
• .dad
• .dadiagrams
• .daschema
• .db
• .db-shm
• .db-wal
• .db2
• .db3
• .dbc
• .dbf
• .dbs
• .dbt
• .dbv
• .dbx
• .dcb
• .dct
• .dcx
• .ddl
• .dlis
• .dp1
• .dqy
• .dsk
• .dsn
• .dtsx
• .dxl
• .eco
• .ecx
• .edb
• .epim
• .exb
• .fcd
• .fic
• .fm5
• .fmp
• .fmp12
• .fmpsl
• .fol
• .fp3
• .fp4
• .fp5
• .fp7
• .fpt
• .frm
• .gdb
• .grdb
• .gwi
• .hdb
• .his
• .hjt
• .ib
• .icg
• .icr
• .idb
• .ihx
• .iso
• .itdb
• .itw
• .jet
• .jtx
• .kdb
• .kdb
• .kexi
• .kexic
• .kexis
• .lgc
• .lut
• .lwx
• .maf
• .maq
• .mar
• .mas
• .mav
• .maw
• .mdb
• .mdf
• .mdn
• .mdt
• .mpd
• .mrg
• .mud
• .mwb
• .myd
• .ndf
• .nnt
• .nrmlib
• .ns2
• .ns3
• .ns4
• .nsf
• .nv
• .nv2
• .nvram
• .nwdb
• .nyf
• .odb
• .oqy
• .ora
• .orx
• .owc
• .p96
• .p97
• .pan
• .pdb
• .pdm
• .pnz
• .pvm
• .qcow2
• .qry
• .qvd
• .raw
• .rbf
• .rctd
• .rod
• .rodx
• .rpd
• .rsd
• .sas7bdat
• .sbf
• .scx
• .sdb
• .sdc
• .sdf
• .sis
• .spq
• .sql
• .sqlite
• .sqlite3
• .sqlitedb
• .subvol
• .te.tps
• .temx
• .tmd
• .trc
• .trm
• .udb
• .udl
• .usr
• .v12
• .vdi
• .vhd
• .vhdx
• .vis
• .vmcx
• .vmdk
• .vmem
• .vmrs
• .vmsd
• .vmsn
• .vmx
• .vpd
• .vsv
• .vvv
• .wdb
• .wmdb
• .wrk
• .xdb
• .xld
• .xmlff

It avoids encrypting files with the following strings in their file path:

• $Recycle.Bin
• $RECYCLE.BIN
• Boot
• ProgramData
• System Volume Information
• temp
• thumb
• tmp
• Trend Micro
• Windows
• winnt

It appends the following extension to the file name of the encrypted files:

• .akira

It drops the following file(s) as ransom note:

• {Encrypted Directory}\akira_readme.txt
  

It avoids encrypting files with the following file extensions:

• .dll
• .exe
• .lnk
• .msi
• .sys