Ransom.MSIL.CATAKA.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system and executes them:

• %AppDataLocal%\rundll32.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Readme = %AppDataLocal%\rundll32.exe

Other System Modifications

This Ransomware also creates the following registry entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE
{Username} =

It sets the system's desktop wallpaper to the following image:

• %User Temp%\{9 Random Characters}.jpg
  

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc
• CNTAoSMgr
• code
• dbeng50
• dbsnmp
• encsvc
• excel
• firefoxconfig
• infopath
• isqlplussvc
• mbamtray
• msaccess
• msftesql
• mspub
• mydesktopqos
• mydesktopservice
• mysqld
• mysqld-nt
• mysqld-opt
• Ntrtscan
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• PccNTMon
• powerpnt
• ProcessHacker
• sqbcoreservice
• sqlagent
• sqlbrowser
• sqlservr
• sqlwriter
• steam
• synctime
• tbirdconfig
• thebat
• thebat64
• thunderbird
• tmlisten
• VBoxSVC
• VirtualBoxVM
• visio
• vmplayer
• winword
• wordpad
• wps
• xfssvccon
• zoolz

Other Details

This Ransomware encrypts files with the following extensions:

• .1c
• .1cd
• .3ds
• .3fr
• .3g2
• .3gp
• .7z
• .7zip
• .accda
• .accdb
• .accdc
• .accde
• .accdr
• .accdt
• .accdw
• .ace
• .adp
• .ai
• .ai3
• .ai4
• .ai5
• .ai6
• .ai7
• .ai8
• .amv
• .apk
• .arj
• .arw
• .ascx
• .asm
• .asmx
• .asp
• .aspx
• .avi
• .avs
• .backup
• .bak
• .bay
• .bin
• .bk
• .blob
• .bmp
• .bz2
• .c
• .cab
• .cer
• .cfm
• .ckp
• .config
• .contact
• .core
• .cpp
• .crt
• .cs
• .css
• .csv
• .cub
• .cvs
• .dacpac
• .dae
• .dat
• .db
• .db3
• .dbc
• .dbf
• .dbs
• .dbt
• .dbv
• .dbx
• .dc3
• .dcm
• .dcr
• .dib
• .dic
• .dif
• .divx
• .djvu
• .dmg
• .doc
• .docm
• .docx
• .dot
• .dotx
• .dt
• .dwg
• .dwt
• .epsp
• .exif
• .exr
• .f4v
• .flv
• .frm
• .geo
• .gif
• .gz
• .gzip
• .htm
• .html
• .ibank
• .ico
• .iff
• .inc
• .indd
• .ini
• .iso
• .jar
• .java
• .jpe
• .jpeg
• .jpg
• .js
• .json
• .json
• .jsp
• .jsp
• .jsx
• .key
• .kmz
• .kwm
• .lnk
• .log
• .lzh
• .lzma
• .lzo
• .m1v
• .m4a
• .m4p
• .m4v
• .max
• .mda
• .mdb
• .mde
• .mdf
• .mdw
• .mht
• .mhtml
• .mka
• .mkv
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mpv
• .mrg
• .mrg
• .msg
• .mwb
• .myd
• .myi
• .ndf
• .nef
• .nrw
• .obj
• .odc
• .odm
• .odp
• .ods
• .odt
• .oft
• .onepkg
• .onetoc2
• .opt
• .oqy
• .orf
• .ova
• .p12
• .p7b
• .p7c
• .pam
• .pas
• .pdb
• .pdf
• .pfx
• .php
• .pict
• .pl
• .pls
• .png
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppt
• .pptm
• .pptx
• .ps
• .psb
• .psd
• .pst
• .py
• .qry
• .r3d
• .rar
• .raw
• .rb
• .rgbe
• .rss
• .rtf
• .safe
• .sdb
• .sdf
• .settings
• .sie
• .slk
• .sln
• .sql
• .sqlite
• .sqlite3
• .stm
• .sum
• .svg
• .svgz
• .swf
• .swift
• .tab
• .tar
• .tar.gz
• .tar.xz
• .tbi
• .tgz
• .tif
• .tmd
• .torrent
• .txt
• .txz
• .udl
• .uxdc
• .vb
• .vbox
• .vbs
• .vdi
• .vmdk
• .vmx
• .vob
• .vsdx
• .vss
• .wallet
• .wav
• .wdb
• .webm
• .wim
• .wma
• .wmf
• .wmv
• .wpd
• .wps
• .xhtml
• .xla
• .xlam
• .xlk
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xps
• .xsd
• .xsf
• .xsl
• .xslt
• .xsn
• .xtp2
• .xz
• .z
• .zip
• .zipx

It does the following:

• It checks if its process file path and file name is %AppDataLocal%\rundll32.exe
  • If not, it checks if %AppDataLocal%\rundll32.exe already exists
    • If it exists, it will delete the file and drops a copy of itself as %AppDataLocal%\rundll32.exe.
    • If not, it will drop a copy of itself as %AppDataLocal%\rundll32.exe.
• It checks if the size of the file to encypt is less than or greater than 524,288 bytes
  • If it is less than 524,288 bytes, it will encrypt the whole file.
  • If it is greater than 524,288 bytes, it will use intermittent encryption - First 131,072 bytes, another 131,072 bytes from the middle of the file, and the last 131,072 bytes
• If the current clipboard content is a Bitcoin address, it replaces it with its own hardcoded Bitcoin address.
• It encrypts its targeted files twice.
• It avoids encrypting files with the following file names:
  • boot.ini
  • bootfont.bin
  • bootmgfw.efi
  • bootmgr
  • bootmgr.efi
  • desktop.ini
  • iconcache.db
  • ntuser.dat
  • ntuser.ini
  • Readme.txt
  • thumbs.db

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Ransomware Routine

This Ransomware avoids encrypting files found in the following folders:

• $recycle.bin
• amd
• boot
• documents and settings
• games
• intel
• msocache
• nvidia
• perflogs
• program files
• program files (x86)
• programdata
• windows
• windows.old
• windows.old.old

It appends the following extension to the file name of the encrypted files:

• .{5 Random Alphanumeric Characters}

It drops the following file(s) as ransom note:

• {Encrypted File Path}\Readme.txt