Ransom.MSIL.LUCKNITE.A
MSIL/Filecoder.F9C3!tr.ransom (FORTINET), Ransom:MSIL/FileCoder.AD!MTB (MICROSOFT)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It uses file names similar to those of legitimate applications to trick a user into thinking they are legitimate.
It encrypts files found in specific folders. It drops files as ransom note.
TECHNICAL DETAILS
23,552 bytes
EXE
No
16 Dec 2022
Displays message/message boxes, Drops files, Encrypts files
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops and executes the following files:
- {All affected directories}\README.txt
- %Application Data%\svchost.exe
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg
- 17CqMQFeuB3NTzJ2X28tfRmWaPyPQgvoHV
Autostart Technique
This Ransomware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Store = {ransomware location}
It drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:
- svchost.url ← links to ransomware location
Other System Modifications
This Ransomware uses the following commands to delete built-in operating system data to prevent data recovery:
- wbadmin delete catalog -quiet
- vssadmin delete shadows /all /quiet & wmic shadowcopy delete
- bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
Propagation
This Ransomware drops the following copy of itself in all physical and removable drives:
- surprise.exe (except C: drive)
Other Details
This Ransomware encrypts files with the following extensions:
- .1cd
- .3ds
- .3fr
- .3g2
- .3gp
- .7z
- .7zip
- .accda
- .accdb
- .accdc
- .accde
- .accdr
- .accdt
- .accdw
- .ace
- .adp
- .ai
- .ai3
- .ai4
- .ai5
- .ai6
- .ai7
- .ai8
- .amv
- .apk
- .arj
- .arw
- .ascx
- .asm
- .asmx
- .asp
- .aspx
- .avi
- .avs
- .backup
- .bak
- .bay
- .bin
- .bk
- .blob
- .bmp
- .bz2
- .cab
- .cer
- .cfm
- .config
- .contact
- .core
- .cpp
- .crt
- .cs
- .css
- .csv
- .cub
- .cvs
- .dae
- .dat
- .db
- .dbf
- .dbx
- .dc3
- .dcm
- .dcr
- .dib
- .dic
- .dif
- .divx
- .djvu
- .dmg
- .doc
- .docm
- .docx
- .dot
- .dotx
- .dwg
- .dwt
- .epsp
- .exif
- .exr
- .f4v
- .flv
- .geo
- .gif
- .gz
- .gzip
- .htm
- .html
- .ibank
- .ico
- .iff
- .inc
- .indd
- .ini
- .iso
- .jar
- .java
- .jpe
- .jpeg
- .jpg
- .js
- .json
- .jsp
- .key
- .kmz
- .kwm
- .lnk
- .log
- .lzh
- .m1v
- .m4a
- .m4p
- .m4v
- .max
- .mda
- .mdb
- .mde
- .mdf
- .mdw
- .mht
- .mhtml
- .mka
- .mkv
- .mov
- .mp3
- .mp4
- .mpeg
- .mpg
- .mpv
- .msg
- .myi
- .nef
- .obj
- .odc
- .odm
- .odp
- .ods
- .odt
- .oft
- .onepkg
- .onetoc2
- .opt
- .oqy
- .orf
- .p7b
- .p7c
- .p12
- .pam
- .pas
- .pdb
- .pfx
- .php
- .pict
- .pl
- .pls
- .png
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppt
- .pptm
- .pptx
- .ps
- .psb
- .psd
- .pst
- .py
- .r3d
- .rar
- .raw
- .rb
- .rgbe
- .rss
- .rtf
- .safe
- .settings
- .sie
- .slk
- .sln
- .sql
- .stm
- .sum
- .svg
- .svgz
- .swf
- .swift
- .tab
- .tar
- .tar.gz
- .tbi
- .tif
- .torrent
- .txt
- .vb
- .vbs
- .vdi
- .vmdk
- .vob
- .vss
- .wallet
- .wav
- .webm
- .wma
- .wmv
- .wpd
- .wps
- .xla
- .xlam
- .xlk
- .xlm
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xml
- .xps
- .xsd
- .xsf
- .xsl
- .xz
- .zip
It uses file names similar to those of legitimate applications to trick a user into thinking they are legitimate.
It does the following:
- This ransomware uses different encryption methods to target files depending on its file size:
- If file size is less than 2,117,152 bytes:
- It uses AES encryption to encrypt the file
- If file size is more than 200,000,000 bytes:
- It uses a randomly generated Base64 string, then it appends the generated 4-character string to the file name.
- If file size is more than 2,117,152 bytes and less than 200,000,000 bytes:
- It generates a Base64 string from a random UTF-8 encoded bytes of length equal to a quarter of the file size and writes the string to the file. It appends the generated 4-character string to the file name.
Ransomware Routine
This Ransomware encrypts files found in the following folders:
- %Desktop%
- %User Profile%\Links
- %User Profile%\Contacts
- %User Profile%\Documents
- %User Profile%\Downloads
- %User Profile%\Pictures
- %User Profile%\Music
- %User Profile%\OneDrive
- %User Profile%\Saved Games
- %Favorites%
- %User Profile%\Searches
- %User Profile%\Videos
- %Application Data%
- %Public%\Documents
- %Public%\Pictures
- %Public%\Music
- %Public%\Videos
- %Public%\Desktop
(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Favorites% is the current user's Favorites folder, which is usually C:\Documents and Settings\{user name}\Favorites on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Favorites on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)
It avoids encrypting files with the following strings in their file name:
- .lucknite
- README.txt
It appends the following extension to the file name of the encrypted files:
- .lucknite
It drops the following file(s) as ransom note:
- README.txt
SOLUTION
9.800
18.186.02
10 Jan 2023
18.187.00
11 Jan 2023
Step 1
Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:
- TROJ.Win32.TRX.XXPE50FFF063
Step 2
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 3
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Microsoft Store = {ransomware location}
- Microsoft Store = {ransomware location}
Step 5
Search and delete these files
- {All drives except C}\surprise.exe
- %User Startup%\svchost.url
- {All affected directories}\README.txt
- %Application Data%\svchost.exe
Step 6
Enabling Volume Shadow Service
- Run the command prompt (cmd.exe) as administrator.
- Enable Volume Shadow Service by typing the following command:
net start vss
Step 7
Enabling Windows Error Recovery
- Run the command prompt (cmd.exe) as administrator.
- Enable Windows Error Recovery Screen on Startup by typing the following command:
bcdedit /set {default} bootstatuspolicy displayallfailures
Step 8
Restore files from backup Only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on your computer again.
Step 9
Scan your computer with your Trend Micro product to delete files detected as Ransom.MSIL.LUCKNITE.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.