RANSOM_CRYBRZ.THFDAAH

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It encrypts files found in specific folders.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Desktop%\SUA_CHAVE.html - infection marker

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following copies of itself into the affected system:

• %System Root%\{User Name}\Rand123\local.exe

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It creates the following folders:

• %System Root%\{User Name}
• %System Root%\{User Name}\Rand123

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = "%System Root%\{User Name}\ranso4.jpg"

(Note: The default value data of the said registry entry is {User preference}.)

It sets the system's desktop wallpaper to the following image:

Download Routine

This Ransomware accesses the following websites to download files:

• http://{BLOCKED}.{BLOCKED}p.blogspot.com/-11m8rWaFmWs/WuhochGTK0I/AAAAAAAAFTY/VkbbVhxYZDgW_jlbQ5lPbV8AEhyd4ihgQCK4BGAYYCw/s1600/ranso4.jpg

It saves the files it downloads using the following names:

• %System Root%\{User Name}\ranso4.jpg - Ransom Note

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Information Theft

This Ransomware gathers the following data:

• Machine Name
• User Name

Stolen Information

This Ransomware sends the gathered information via HTTP POST to the following URL:

• http://{BLOCKED}3r2213122c1cxdsxsd.{BLOCKED}x.com/crybrazil/write.php?info={Machine Name}-{User name}_732%20AA151257B1462D642E7E21FF9C80F83CAF043C3572D5ED59BD283D20641E3C9D

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .123
• .602
• .3dm
• .3ds
• .3g2
• .3gp
• .7z
• .accdb
• .aes
• .ai
• .aif
• .apk
• .app
• .asc
• .asf
• .asm
• .asp
• .aspx
• .avi
• .backup
• .bak
• .bat
• .bmp
• .brd
• .bz2
• .c
• .cbr
• .cer
• .cfg
• .cfm
• .cgi
• .cgm
• .class
• .cmd
• .com
• .cpp
• .crt
• .cs
• .csr
• .css
• .csv
• .dat
• .db
• .dbf
• .dch
• .dds
• .deb
• .dem
• .der
• .dif
• .dip
• .djvu
• .doc
• .docb
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .dwg
• .edb
• .eml
• .eps
• .fla
• .flv
• .fnt
• .fon
• .fpx
• .frm
• .gam
• .ged
• .gif
• .gpg
• .gz
• .h
• .htm
• .html
• .hwp
• .ibd
• .ics
• .iff
• .indd
• .iso
• .j2c
• .j2k
• .jar
• .java
• .jfif
• .jif
• .jp2
• .jpeg
• .jpg
• .jpx
• .js
• .json
• .jsp
• .key
• .keychain
• .lay
• .lay6
• .ldf
• .log
• .lua
• .m3u
• .m4a
• .m4u
• .m4v
• .max
• .mdb
• .mdf
• .mht
• .mhtml
• .mid
• .mkv
• .mml
• .mov
• .mp3
• .mp4
• .mpa
• .mpeg
• .mpg
• .msg
• .msi
• .myd
• .myi
• .nef
• .nes
• .obj
• .odb
• .odg
• .odp
• .ods
• .odt
• .old
• .onetoc2
• .ost
• .otf
• .otg
• .otp
• .ots
• .ott
• .p12
• .pages
• .PAQ
• .pas
• .pcd
• .pct
• .pdf
• .pem
• .pfx
• .php
• .pkg
• .pl
• .png
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptx
• .prf
• .prn
• .ps
• .ps1
• .psd
• .pst
• .py
• .rar
• .raw
• .rb
• .rm
• .rom
• .rpm
• .rss
• .rtf
• .sav
• .sch
• .sdf
• .sh
• .sldm
• .sldx
• .slk
• .sln
• .snt
• .sql
• .sqlite3
• .sqlitedb
• .srt
• .stc
• .std
• .sti
• .stw
• .suo
• .svg
• .swf
• .swift
• .sxc
• .sxd
• .sxi
• .sxm
• .sxw
• .tar
• .tbk
• .tex
• .tga
• .tgz
• .thm
• .tif
• .tiff
• .tmp
• .torrent
• .ttf
• .txt
• .uop
• .uot
• .vb
• .vbs
• .vcd
• .vcf
• .vcxproj
• .vdi
• .vmdk
• .vmx
• .vob
• .vsd
• .vsdx
• .wav
• .wb2
• .wk1
• .wks
• .wma
• .wmv
• .wpd
• .wps
• .xhtml
• .xla
• .xlam
• .xlc
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xps
• .yuv
• .zip
• .zipx

It encrypts files found in the following folders:

• %Desktop%
• %User Profile%\My Documents
• %User Profile%\Downloads
• %User Profile%\My Pictures
• %User Profile%\My Music
• %User Profile%\My Videos

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)