Ransom.Win32.PHOBOS.JSHSMO

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %AppDataLocal%\{Malware FileName}.exe
• %User Startup%\{Malware FileName}.exe
• %All Users Profile%\Microsoft\Windows\Start Menu\Programs\Startup\{Malware FileName}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). )

It adds the following processes:

• netsh  advfirewall set currentprofile state off
• vssadmin  delete shadows /all /quiet
• wmic  shadowcopy delete
• bcdedit  /set {default} bootstatuspolicy ignoreallfailures
• bcdedit  /set {default} recoveryenabled no
• wbadmin  delete catalog -quiet
• netsh  firewall set opmode mode=disable
• "%System%\mshta.exe" "%Desktop%\info.hta"
• "%System%\mshta.exe" "%Public%\desktop\info.hta"
• "%System%\mshta.exe" "{Drive Letter}:\info.hta"

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware FileName} = %AppDataLocal%\{Malware FileName}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware FileName} = %AppDataLocal%\{Malware FileName}.exe

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

• .id[{Volume Serial ID}-{Generated ID}].[{BLOCKED}el@airmail.cc].dewar

It drops the following file(s) as ransom note:

• %Desktop%\info.hta"
• %Public%\desktop\info.hta
• {Drive Letter}:\info.hta

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)