Ransom.MSIL.TARGETCOMP.YPCIA

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops and executes the following files:

• %User Temp%\Vqstxggumqhfwkill$.bat → contains commands to delete and stop services as well as to terminate processes, deleted afterwards.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following copies of itself into the affected system:

• %Application Data%\Jrpnqm\Nyovdlxx.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\WindowsPowerShe11\v1.0\powershe11. exe " -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

• cmd /c ""%User Temp%\Vqstxggumqhfwkill$.bat""

• reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f

• takeown /f %SystemRoot%\system32\{String} /a
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /g Administrators:f
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /g Users:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /g Administrators:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /d SERVICE
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /d mssqlserver
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /d network service
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /g system:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{system32}\{{String}} /e /d mssql$sqlexpress
• where {String}:
• cmd.exe
• net.exe
• net1.exe
• mshta.exe
• FTP.exe
• wscript.exe
• cscript.exe
• WindowsPowerShell\v1.0\powershell.exe

• takeown /f %SystemRoot%\SysWOW64\{{String}} /a
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /g Administrators:f
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /g Users:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /g Administrators:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /d SERVICE
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /d mssqlserver
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /d network service
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /g system:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %SystemRoot%\{SysWOW64}\{String} /e /d mssql$sqlexpress
• where {String}:
• cmd.exe
• net.exe
• net1.exe
• mshta.exe
• FTP.exe
• wscript.exe
• cscript.exe
• WindowsPowerShell\v1.0\powershell.exe

• takeown /f %ProgramData% /a
• %System%\cmd.exe /S /D /c" echo y"
• cacls %ProgramData% /g Administrators:f
• %System%\cmd.exe /S /D /c" echo y"
• cacls %ProgramData% /e /g Users:r
• %System%\cmd.exe /S /D /c" echo y"
• echo y|cacls %ProgramData% /e /g Administrators:r
• %System%\cmd.exe /S /D /c" echo y"
• echo y|cacls %ProgramData% /e /d SERVICE
• %System%\cmd.exe /S /D /c" echo y"
• echo y|cacls %ProgramData% /e /d mssqlserver
• %System%\cmd.exe /S /D /c" echo y"
• echo Y|cacls %ProgramData% /e /d "network service"
• %System%\cmd.exe /S /D /c" echo y"
• echo y|cacls %ProgramData% /e /d system
• %System%\cmd.exe /S /D /c" echo y"
• echo Y|cacls %ProgramData% /e /d mssql$sqlexpress

• takeown /f %Public% /a
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /g Administrators:f
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /g Users:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /g Administrators:r
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /d SERVICE
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /d mssqlserver
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /d "network service"
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /d system
• %System%\cmd.exe /S /D /c" echo y"
• cacls %Public% /e /d mssql$sqlexpress

• vssadmin delete shadows /all /quiet
• %System%\cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
• %System%\cmd.exe /c bcdedit /set {current} recoveryenabled no
• net stop {Services Stopped}
• sc delete {Services Deleted}
• taskkill /IM {Process List} /F

(Note: %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It creates the following folders:

• %Application Data%\Jrpnqm

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It injects codes into the following process(es):

• %Windows%\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Nyovdlxx = %Application Data%\Jrpnqm\Nyovdlxx.exe

Process Termination

This Ransomware terminates the following services if found on the affected system:

• where {Services Stopped}:
• U8WorkerService1
• U8WorkerService2
• memcached Server
• Apache2.4
• UFIDAWebService
• MSComplianceAudit
• MSExchangeADTopology
• MSExchangeAntispamUpdate
• MSExchangeCompliance
• MSExchangeDagMgmt
• MSExchangeDelivery
• MSExchangeDiagnostics
• MSExchangeEdgeSync
• MSExchangeFastSearch
• MSExchangeFrontEndTransport
• MSExchangeHM
• MSSQL$SQL2008
• MSExchangeHMRecovery
• MSExchangeImap4
• MSExchangeIMAP4BE
• MSExchangeIS
• MSExchangeMailboxAssistants
• MSExchangeMailboxReplication
• MSExchangeNotificationsBroker
• MSExchangePop3
• MSExchangePOP3BE
• MSExchangeRepl
• MSExchangeRPC
• MSExchangeServiceHost
• MSExchangeSubmission
• MSExchangeThrottling
• MSExchangeTransport
• MSExchangeTransportLogSearch
• MSExchangeUM
• MSExchangeUMCR
• MySQL5_OA
• HaoZipSvc
• igfxCUIService2.0.0.0
• Realtek11nSU
• xenlite
• XenSvc
• Apache2.2
• Synology Drive VSS Service x64
• DellDRLogSvc
• FirebirdGuardianDeafaultInstance
• JWEM3DBAUTORun
• JWRinfoClientService
• JWService
• Service2
• RapidRecoveryAgent
• FirebirdServerDefaultInstance
• AdobeARMservice
• VeeamCatalogSvc
• VeeanBackupSvc
• VeeamTransportSvc
• TPlusStdAppService1300
• TPlusStdTaskService1300
• TPlusStdUpgradeService1300
• TPlusStdWebService1300
• VeeamNFSSvc
• VeeamDeploySvc
• VeeamCloudSvc
• VeeamMountSvc
• VeeamBrokerSvc
• VeeamDistributionSvc
• tmlisten
• ServiceMid
• 360EntPGSvc
• ClickToRunSvc
• RavTask
• AngelOfDeath
• d_safe
• NFLicenceServer
• NetVault Process Manager
• RavService
• DFServ
• IngressMgr
• EvtSys
• K3ClouManager
• NFVPrintServer
• RTCAVMCU
• CobianBackup10
• GNWebService
• Mysoft.SchedulingService
• AgentX
• SentinelKeysServer
• DGPNPSEV
• TurboCRM70
• NFSysService
• U8DispatchService
• NFOTPService
• U8EISService
• U8EncryptService
• U8GCService
• U8KeyManagePool
• U8MPool
• U8SCMPool
• U8SLReportService
• U8TaskService
• U8WebPool
• UFAllNet
• UFReportService
• UTUService
• UIODetect
• VMwareHostd
• TeamViewer8
• VMUSBArbService
• VMAuthdService
• wanxiao-monitor
• WebAttendServer
• mysqltransport
• VMnetDHCP
• VMware NAT Service
• Tomcat8
• TeamViewer
• QPCore
• CASLicenceServer
• CASWebServer
• AutoUpdateService
• Alibaba Security Aegis Detect Service
• Alibaba Security Aegis Update Service
• AliyunService
• CASXMLService
• AGSService
• RapService
• DDNSService
• iNethinkSQLBackupSvc
• CASVirtualDiskService
• CASMsgSrv
• OracleOraDb10g_homeliSQL*Plus
• OracleDBConsoleilas
• MySQL
• TPlusStdAppService1220
• TPlusStdTaskService1220
• TPlusStdUpgradeService1220
• K3MobileServiceManage
• FileZilla Server
• DDVRulesProcessor
• ImtsEventSvr
• AutoUpdatePatchService
• OMAILREPORT
• Dell Hardware Support
• SupportAssistAgent
• K3MMainSuspendService
• KpService
• ceng_web_svc_d
• KugouService
• pcas
• U8SendMailAdmin
• Bonjour Service
• Apple Mobile Device Service
• ABBYY.Licensing.FineReader.Professional.12.0
• MSSQLServerADHelper100
• MSSQL$ISARS
• MSSQL$MSFW
• SQLAgent$ISARS
• SQLAgent$MSFW
• SQLBrowser
• ReportServer$ISARS
• SQLWriter
• WinDefend
• mr2kserv
• MSExchangeADTopology
• MSExchangeFBA
• MSExchangeIS
• MSExchangeSA
• ShadowProtectSvc
• SPAdminV4
• SPTimerV4
• SPTraceV4
• SPUserCodeV4
• SPWriterV4
• SPSearch4
• MSSQLServerADHelper100
• IISADMIN
• firebirdguardiandefaultinstance
• ibmiasrw
• QBCFMonitorService
• QBVSS
• QBPOSDBServiceV12
• IBM Domino Server (CProgramFilesIBMDominodata)
• IBM Domino Diagnostics (CProgramFilesIBMDomino)
• IISADMIN
• Simply Accounting Database Connection Manager
• QuickBooksDB1
• QuickBooksDB2
• QuickBooksDB3
• QuickBooksDB4
• QuickBooksDB5

It terminates the following processes if found running in the affected system's memory:

• where {Process List}:
• sqlservr.exe
• httpd.exe
• java.exe
• fdhost.exe
• fdlauncher.exe
• reportingservicesservice.exe
• softmgrlit.e.exe
• sqlbrowser.exe
• ssms.exe
• vmtoolsd.exe
• baidunetdisk.exe
• yundetectservice.exe
• ssclient.exe
• GNAupdaemon.exe
• RAVCp164.exe
• igfxEM.exe
• igfxHK.exe
• igfxTray.exe
• 360bdoctor.exe
• GNCEFExternal.exe
• PrivacyIconClient.exe
• UIODetect.exe
• AutoDealService.exe
• IDDAService.exe
• EnergyDataService.exe
• MPService.exe
• TransMain.exe
• DAService.exe
• GoogleCrashHandler.exe
• GoogleCrashHandler64.exe
• GoogleUpdate.exe
• cohernece.exe
• vmware-tray.exe
• MsDtsSrvr.exe
• msmdsrv.exe
• FileZillaserver.exe
• UpdateData.exe
• WebApi.Host.exe
• VGAuthService.exe
• omtsreco.exe
• TNSLSNR.exe
• oracle.exe
• msdtc.exe
• mmc.exe
• emagent.exe
• Admin.exe
• EnterprisePortal.exe
• tomcat7.exe
• Kingdee.K3.CRM.MMC.MMCService.exe
• Kingdee.k3.Weixin.ClientService.exe
• Kingdee.K3.PUBLIC.BkgSvcHost.exe
• Kingdee.K3.HR.Server.exe
• Kingdee.K3.PUBLIC.KDSvrMgrHost.exe
• tomcat5.exe
• Kingdee.DeskTool.exe
• UserClient.exe
• mysqld.exe
• ImtsEventSvr.exe
• mysqld-nt.exe
• 360EnterpriseDiskUI.exe
• tomcat8.exe
• QQprotect.exe
• isqlplussvc.exe
• nmesrvc.exe
• jusched.exe
• MtxHotPlugService.exe
• jucheck.exe
• wordpad.exe
• SecureCRT.exe
• chrome.exe
• Thunder.exe
• ThunderPlatform.exe
• iexplore.exe
• vm-agent.exe
• vm-agent-daemon.exe
• eSightService.exe
• cygrunsrv.exe
• wrapper.exe
• nginx.exe
• node.exe
• sshd.exe
• vm-tray.exe
• iempwatchdog.exe
• sqlwrit.er.exe
• php.exe
• notepad++.exe
• phpStudy.exe
• OPCClient.exe
• navicat.exe
• SupportAssistAgent.exe
• SunloginClient.exe
• SOUNDMAN.exe
• WeChat.exe
• TXPlatform.exe
• Tencentdll.exe
• jenkins.exe
• QQ.exe
• HaoZip.exe
• HaoZipScan.exe
• TSVNCache.exe
• RAVCpl64.exe
• secbizsrv.exe
• aliwssv.exe
• Helper_Haozip.exe
• acrotray.exe
• FileZillaServerInterface.exe
• YoudaoNote.exe
• YNoteCefRender.exe
• idea.exe
• fsnotifier.exe
• picpick.exe
• lantern.exe
• sysproxy-cmd.exe
• service.exe
• pcas.exe
• PresentationFontCache.exe
• RtWlan.exe
• monit.or.exe
• Correspond.exe
• ChatServer.exe
• InetMgr.exe
• LogonServer.exe
• GameServer.exe
• ServUAdmin.exe
• ServUDaemon.exe
• update0.exe
• server.exe
• w3wp.exe
• notepad.exe
• PalmInputService.exe
• PalmInputGuard.exe
• UpdateServer.exe
• UpdateGate.exe
• DBServer.exe
• LoginGate.exe
• SelGate.exe
• RunGate.exe
• M2Server.exe
• LogDataServer.exe
• LoginSrv.exe
• sqlceip.exe
• mqsvc.exe
• RefundOrder.exe
• ClamTray.exe
• AdobeARM.exe
• veeam.backup.shell.exe
• VpxClient.exe
• vmware-vmrc.exe
• DSCPatchService.exe
• scktsrvr.exe
• ServerManager.exe
• Dispatcher.exe
• EFDispatcher.exe
• ClamWin.exe
• srvany.exe
• JT_AG-8332.exe
• XXTClient.exe
• clean.exe
• Net.Service.exe
• plsqldev.exe
• splwow64.exe
• Oobe.exe
• QQYService.exe
• SGTool.exe
• postgres.exe
• AppVShNotify.exe
• OfficeClickToRun.exe
• EntDT.exe
• EntPublish.exe
• pg_ctl.exe
• rcrelay.exe
• SogouImeBroker.exe
• CCenter.exe
• ScanFrm.exe
• d_manage.exe
• RsTray.exe
• wampmanager.exe
• RavTray.exe
• mssearch.exe
• sqlmangr.exe
• msftesql.exe
• SyncBaseSvr.exe
• SyncBaseConsole.exe
• aspnet_state.exe
• AutoBackUpEx.exe
• redis-server.exe
• MySQLNotifier.exe
• oravssw.exe
• fppdis5.exe
• His6Service.exe
• dinotify.exe
• JhTask.exe
• Executer.exe
• AllPassCBHost.exe
• ap_nginx.exe
• AndroidServer.exe
• XT.exe
• XTService.exe
• AllPassMCService.exe
• IMEDICTUPDATE.exe
• FlashHelperService.exe
• ap_redis-server.exe
• UtilDev.WebServer.Monit.or.exe
• UWS.AppHost.Clr2.x86.exe
• Foxit.Protect.exe
• ftnlses.exe
• ftusbrdwks.exe
• ftusbrdsrv.exe
• ftnlsv.exe
• Syslogd_Service.exe
• UWS.HighPrivilegeUtilit.ies.exe
• ftusbsrv.exe
• UWS.LowPrivilegeUtilit.ies.exe
• UWS.AppHost.Clr2.AnyCpu.exe
• winguard_x64.exe
• vmconnect.exe
• firefox.exe
• usbrdsrv.exe
• usbserver.exe
• Foxmail.exe
• qemu-ga.exe
• wwbizsrv.exe
• ZTEFileTranS.exe
• ZTEUsbIpc.exe
• ZTEUsbIpcGuard.exe
• AlibabaProtect.exe
• kbasesrv.exe
• ZTEVdservice.exe
• MMRHookService.exe
• extjob.exe
• IpOverUsbSvc.exe
• VMwareTray.exe
• devenv.exe
• PerfWatson2.exe
• ServiceHub.Host.Node.x86.exe
• ServiceHub.Identit.yHost.exe
• ServiceHub.VSDetouredHost.exe
• ServiceHub.SettingsHost.exe
• ServiceHub.Host.CLR.x86.exe
• ServiceHub.RoslynCodeAnalysisService32.exe
• ServiceHub.DataWarehouseHost.exe
• Microsoft.VisualStudio.Web.Host.exe
• SQLEXPRWT.exe
• setup.exe
• remote.exe
• setup100.exe
• landingpage.exe
• WINWORD.exe
• KuaiYun.exe
• HwsHostPanel.exe
• NovelSpider.exe
• Service_KMS.exe
• WebServer.exe
• ChsIME.exe
• btPanel.exe
• Protect_2345Explorer.exe
• Pic_2345Svc.exe
• vmware-converter-a.exe
• vmware-converter.exe
• vmware.exe
• vmware-unit.y-helper.exe
• vmware-vmx.exe
• usysdiag.exe
• PopBlock.exe
• gsinterface.exe
• Gemstar.Group.CRS.Client.exe
• TenpayServer.exe
• RemoteExecService.exe
• VS_TrueCorsManager.exe
• ntpsvr-2019-01-22-wgs84.exe
• rtkjob-ion.exe
• ntpsvr-2019-01-22-no-usrcheck.exe
• NtripCaster-2019-01-08.exe
• BACSTray.exe
• protect.exe
• hfs.exe
• jzmis.exe
• NewFileTime_x64.exe
• 2345MiniPage.exe
• JMJ_server.exe
• cacls.exe
• gpsdaemon.exe
• gpsusersvr.exe
• gpsdownsvr.exe
• gpsstoragesvr.exe
• gpsdataprocsvr.exe
• gpsftpd.exe
• gpsmysqld.exe
• gpstomcat6.exe
• gpsloginsvr.exe
• gpsmediasvr.exe
• gpsgatewaysvr.exe
• gpssvrctrl.exe
• zabbix_agentd.exe
• BackupExec.exe
• Att.exe
• mdm.exe
• BackupExecManagementService.exe
• bengine.exe
• benetns.exe
• beserver.exe
• pvlsvr.exe
• bedbg.exe
• beremote.exe
• RemoteAssistProcess.exe
• BarMoniService.exe
• GoodGameSrv.exe
• BarCMService.exe
• TsService.exe
• GoodGame.exe
• BarServerView.exe
• IcafeServicesTray.exe
• BsAgent_0.exe
• ControlServer.exe
• DisklessServer.exe
• DumpServer.exe
• NetDiskServer.exe
• PersonUDisk.exe
• service_agent.exe
• SoftMemory.exe
• BarServer.exe
• RtkNGUI64.exe
• Serv-U-Tray.exe
• QQPCSoftTrayTips.exe
• SohuNews.exe
• Serv-U.exe
• QQPCRTP.exe
• EasyFZS.exe
• HaoYiShi.exe
• HysMySQL.exe
• wtautoreg.exe
• ispirit.Pro.exe
• CAService.exe
• XAssistant.exe
• TrustCA.exe
• GEUU20003.exe
• CertMgr.exe
• eSafe_monit.or.exe
• MainExecute.exe
• FastInvoice.exe
• sesvc.exe
• ScanFileServer.exe
• Nuoadehgcgcd.exe
• OpenFastAssist.exe
• FastInvoiceAssist.exe
• Nuoadfaggcje.exe
• OfficeUpdate.exe
• atkexComSvc.exe
• FileTransferAgent.exe
• MasterReplicatorAgent.exe
• CrmAsyncService.exe
• CrmUnzipService.exe
• NscAuthService.exe
• ReplicaReplicatorAgent.exe
• ASMCUSvc.exe
• OcsAppServerHost.exe
• RtcCdr.exe
• IMMCUSvc.exe
• DataMCUSvc.exe
• MeetingMCUSvc.exe
• QmsSvc.exe
• RTCSrv.exe
• pnopagw.exe
• NscAuth.exe
• Microsoft.ActiveDirectory.WebServices.exe
• DistributedCacheService.exe
• c2wtshost.exe
• Microsoft.Office.Project.Server.Calculation.exe
• schedengine.exe
• Microsoft.Office.Project.Server.Eventing.exe
• Microsoft.Office.Project.Server.Queuing.exe
• WSSADMIN.EXE
• hostcontrollerservice.exe
• noderunner.exe
• OWSTIMER.EXE
• wsstracing.exe
• MySQLInstallerConsole.exe
• EXCEL.EXE
• consent.exe
• RtkAudioService64.exe
• RAVBg64.exe
• FNPLicensingService64.exe
• VisualSVNServer.exe
• MotionBoard57.exe
• MotionBoardRCService57.exe
• LPManService.exe
• RaRegistry.exe
• RaAutoInstSrv.exe
• RtHDVCpl.exe
• DefenderDaemon.exe
• BestSyncApp.exe
• ApUI.exe
• AutoUpdate.exe
• LPManNotifier.exe
• FieldAnalyst.exe
• TimingGenerate.exe
• Detector.exe
• Estimator.exe
• FA_Logwrit.er.exe
• TrackingSrv.exe
• cbInterface.exe
• ccbService.exe
• U8DispatchService.exe
• dbsrv16.exe
• KICManager.exe
• KICMain.exe
• ServerManagerLauncher.exe
• TbossGate.exe
• iusb3mon.exe
• MgrEnvSvc.exe
• Mysoft.Config.WindowsService.exe
• Mysoft.UpgradeService.UpdateService.exe
• hasplms.exe
• Mysoft.Setup.InstallService.exe
• Mysoft.UpgradeService.Dispatcher.exe
• Mysoft.DataCenterService.WindowsHost.exe
• Mysoft.DataCenterService.DataCleaning.exe
• Mysoft.DataCenterService.DataTracking.exe
• Mysoft.SchedulingService.WindowsHost.exe
• ServiceMonit.or.exe
• Mysoft.SchedulingService.ExecuteEngine.exe
• AgentX.exe
• host.exe
• vsjit.debugger.exe
• VBoxSDS.exe
• TeamViewer_Service.exe
• TeamViewer.exe
• CasLicenceServer.exe
• tv_w32.exe
• tv_x64.exe
• rdm.exe
• SecureCRTPortable.exe
• VirtualBox.exe
• VBoxSVC.exe
• VirtualBoxVM.exe
• abs_deployer.exe
• edr_monit.or.exe
• sfupdatemgr.exe
• ipc_proxy.exe
• edr_agent.exe
• edr_sec_plan.exe
• sfavsvc.exe
• DataShareBox.ShareBoxMonit.orService.exe
• DataShareBox.ShareBoxService.exe
• Jointsky.CloudExchangeService.exe
• Jointsky.CloudExchange.NodeService.ein
• perl.exe
• TsServer.exe
• AppMain.exe
• easservice.exe
• Kingdee6.1.exe
• QyKernel.exe
• QyFragment.exe
• ComputerZTray.exe
• ComputerZService.exe
• ClearCache.exe
• ProLiantMonit.or.exe
• bugreport.exe
• GNWebServer.exe
• UI0Detect.exe
• GNCore.exe
• gnwayDDNS.exe
• GNWebHelper.exe
• php-cgi.exe
• ESLUSBService.exe
• CQA.exe
• Kekcoek.pif
• Tinuknx.exe
• servers.exe
• ping.exe
• TianHeng.exe
• K3MobileService.exe
• VSSVC.exe
• Xshell.exe
• XshellCore.exe
• FNPLicensingService.exe
• XYNTService.exe
• EISService.exe
• UFSoft.U8.Framework.EncryptManager.exe
• yonyou.u8.gc.taskmanager.servicebus.exe
• U8KeyManagePool.exe
• U8MPool.exe
• U8SCMPool.exe
• UFIDA.U8.Report.SLReportService.exe
• U8TaskService.exe
• U8TaskWorker.exe
• U8WebPool.exe
• U8AllAuthServer.exe
• UFIDA.U8.UAP.ReportService.exe
• UFIDA.U8.ECE.UTU.Services.exe
• U8WorkerService.exe
• UFIDA.U8.ECE.UTU.exe
• ShellStub.exe
• U8UpLoadTask.exe
• UfSysHostingService.exe
• UFIDA.UBF.SystemManage.ApplicationService.exe
• UFIDA.U9.CS.Collaboration.MailService.exe
• NotificationService.exe
• UBFdevenv.exe
• UFIDA.U9.SystemManage.SystemManagerClient.exe
• mongod.exe
• SpusCss.exe
• UUDesktop.exe
• KDHRServices.exe
• Kingdee.K3.Mobile.Servics.exe
• KDSvrMgrService.exe
• pdfServer.exe
• pdfspeedup.exe
• SufAppServer.exe
• Kingdee.K3.Mobile.LightPushService.exe
• iMTSSvcMgr.exe
• kdmain.exe
• KDActMGr.exe
• K3ServiceUpdater.exe
• Aua.exe
• iNethinkSQLBackup.exe
• auaJW.exe
• Scheduler.exe
• bschJW.exe
• SystemTray64.exe
• OfficeDaemon.exe
• OfficeIndex.exe
• OfficeIm.exe
• iNethinkSQLBackupConsole.exe
• OfficeMail.exe
• OfficeTask.exe
• OfficePOP3.exe
• apache.exe
• PccNTMon.exe
• NTRtScan.exe
• TmListen.exe
• TmCCSF.exe
• TmProxy.exe
• TMBMSRV.exe
• TmPfw.exe
• CNTAoSMgr.exe
• sqlwriter.exe
• SQLAGENT.EXE
• UniFi.exe
• GnHostService.exe → Terminates the specified process and any child processes which were started by it.
• HwUVPUpgrade.exe → Terminates the specified process and any child processes which were started by it.
• Kingdee.KIS.UESystemSer.exe → Terminates the specified process and any child processes which were started by it.
• uvpmonit.or.exe → Terminates the specified process and any child processes which were started by it.
• UVPUpgradeService.exe → Terminates the specified process and any child processes which were started by it.
• KDdataUpdate.exe → Terminates the specified process and any child processes which were started by it.
• Portal.exe → Terminates the specified process and any child processes which were started by it.
• U8SMSSrv.exe → Terminates the specified process and any child processes which were started by it.
• Ufida.T.SM.PublishService.exe → Terminates the specified process and any child processes which were started by it.
• lta8.exe → Terminates the specified process and any child processes which were started by it.
• UfSvrMgr.exe → Terminates the specified process and any child processes which were started by it.
• AutoUpdateService.exe → Terminates the specified process and any child processes which were started by it.
• MOM.exe → Terminates the specified process and any child processes which were started by it.

Information Theft

This Ransomware accepts the following parameters:

• -l
• -d
• -p
• -path {path to encrypt} → encrypts specific path inputted on the command-line.

Other Details

This Ransomware encrypts files with the following extensions:

• .bak
• .zip
• .rar
• .7z
• .gz
• .sql
• .mdf
• .hdd
• .vhd
• .vdi
• .vmx
• .vmdk
• .nvram
• .vmem
• .vmsn
• .vmsd
• .vmss
• .lck
• .vhdx
• .dbf
• .ora
• .oraenv
• .dmp
• .ibd
• .mdb

It does the following:

• It encrypts files from local drives, removable drives, and network shares

• It deletes the following services:
• where {Services Deleted}:
• XT800Service_Personal
• SQLSERVERAGENT
• SQLWriter
• SQLBrowser
• MSSQLFDLauncher
• MSSQLSERVER
• QcSoftService
• MSSQLServerOLAPService
• VMTools
• VGAuthService
• MSDTC
• TeamViewer
• ReportServer
• RabbitMQ
• AHS SERVICE
• Sense Shield Service
• SSMonitorService
• SSSyncService
• TPlusStdAppService1300
• MSSQL$SQL2008
• SQLAgent$SQL2008
• TPlusStdTaskService1300
• TPlusStdUpgradeService1300
• VirboxWebServer
• jhi_service
• LMS
• FontCache3.0.0.0
• OSP Service
• DAService_TCP
• eCard-TTransServer
• eCardMPService
• EnergyDataService
• UI0Detect
• K3MobileService
• TCPIDDAService
• WebAttendServer
• UIODetect
• wanxiao-monitor
• VMAuthdService
• VMUSBArbService
• VMwareHostd
• vm-agent
• VmAgentDaemon
• OpenSSHd
• eSightService
• apachezt
• Jenkins
• secbizsrv
• SQLTELEMETRY
• MSMQ
• smtpsvrJT
• zyb_sync
• 360EntHttpServer
• 360EntSvc
• 360EntClientSvc
• NFWebServer
• wampapache
• MSSEARCH
• msftesql
• SyncBASE Service
• OracleDBConcoleorcl
• OracleJobSchedulerORCL
• OracleMTSRecoveryService
• OracleOraDb11g_home1ClrAgent
• OracleOraDb11g_home1TNSListener
• OracleVssWriterORCL
• OracleServiceORCL
• aspnet_stateRedis
• JhTask
• ImeDictUpdateService
• MCService
• allpass_redisservice_port21160
• Flash Helper Service
• Kiwi Syslog Server
• UWS HiPriv Services
• UWS LoPriv Services
• ftnlsv3
• ftnlses3
• FxService
• UtilDev Web Server Pro
• ftusbrdwks
• ftusbrdsrv
• ZTE USBIP Client Guard
• ZTE USBIP Client
• ZTE FileTranS
• wwbizsrv
• qemu-ga
• AlibabaProtect
• ZTEVdservice
• kbasesrv
• MMRHookService
• IpOverUsbSvc
• MsDtsServer100
• KuaiYunTools
• KMSELDI
• btPanel
• Protect_2345Explorer
• 2345PicSvc
• vmware-converter-agent
• vmware-converter-server
• vmware-converter-worker
• QQCertificateService
• OracleRemExecService
• GPSDaemon
• GPSUserSvr
• GPSDownSvr
• GPSStorageSvr
• GPSDataProcSvr
• GPSGatewaySvr
• GPSMediaSvr
• GPSLoginSvr
• GPSTomcat6
• GPSMysqld
• GPSFtpd
• Zabbix Agent
• BackupExecAgentAccelerator
• bedbg
• BackupExecDeviceMediaService
• BackupExecRPCService
• BackupExecAgentBrowser
• BackupExecJobEngine
• BackupExecManagementService
• MDM
• TxQBService
• Gailun_Downloader
• RemoteAssistService
• YunService
• Serv-U
• EasyFZS Server
• Rpc Monitor
• OpenFastAssist
• Nuo Update Monitor
• Daemon Service
• asComSvc
• OfficeUpdateService
• RtcSrv
• RTCASMCU
• FTA
• MASTER
• NscAuthService
• MSCRMUnzipService
• MSCRMAsyncService$maintenance
• MSCRMAsyncService
• REPLICA
• RTCATS
• RTCAVMCU
• RtcQms
• RTCMEETINGMCU
• RTCIMMCU
• RTCDATAMCU
• RTCCDR
• ProjectEventService16
• ProjectQueueService16
• SPAdminV4
• SPSearchHostController
• SPTimerV4
• SPTraceV4
• OSearch16
• ProjectCalcService16
• c2wts
• AppFabricCachingService
• ADWS
• MotionBoard57
• MotionBoardRCService57
• vsvnjobsvc
• VisualSVNServer
• FlexNet Licensing Service 64
• BestSyncSvc
• LPManager
• MediatekRegistryWriter
• RaAutoInstSrv_RT2870
• CobianBackup10
• SQLANYs_sem5
• CASLicenceServer
• SQLService
• semwebsrv
• TbossSystem
• ErpEnvSvc
• Mysoft.Autoupgrade.DispatchService
• Mysoft.Autoupgrade.UpdateService
• Mysoft.Config.WindowsService
• Mysoft.DataCenterService
• Mysoft.SchedulingService
• Mysoft.Setup.InstallService
• MysoftUpdate
• edr_monitor
• abs_deployer
• savsvc
• ShareBoxMonitorService
• ShareBoxService
• CloudExchangeService
• U8WorkerService2
• CIS
• EASService
• KICkSvr
• OSP Service
• U8SmsSrv
• OfficeClearCache
• TurboCRM70
• U8DispatchService
• U8EISService
• U8EncryptService
• U8GCService
• U8KeyManagePool
• U8MPool
• U8SCMPool
• U8SLReportService
• U8TaskService
• U8WebPool
• UFAllNet
• UFReportService
• UTUService
• U8WorkerService1
• vmickvpexchange
• vmicguestinterface
• vmicshutdown
• vmicheartbeat
• vmicrdv
• storflt
• vmictimesync
• vmicvss
• hvdsvc
• nvspwmi
• wmms
• AvgAdminServer
• AVG Antivirus
• avgAdminClient
• SAVService
• SAVAdminService
• Sophos AutoUpdate Service
• Sophos Clean Service
• Sophos Device Control Service
• Sophos Endpoint Defense Service
• Sophos File Scanner Service
• Sophos Health Service
• Sophos MCS Agent
• Sophos MCS Client
• SntpService
• swc_service
• swi_service
• Sophos UI
• swi_update
• Sophos Web Control Service
• Sophos System Protection Service
• Sophos Safestore Service
• hmpalertsvc
• RpcEptMapper
• SophosFIM
• swi_filter
• FirebirdGuardianDefaultInstance
• FirebirdServerDefaultInstance
• MSSQLFDLauncher
• MSSQLSERVER
• SQLSERVERAGENT
• SQLBrowser
• SQLTELEMETRY
• MsDtsServer130
• SSISTELEMETRY130
• SQLWriter
• MSSQL$VEEAMSQL2012
• SQLAgent$VEEAMSQL2012
• MSSQL
• SQLAgent
• MSSQLServerADHelper100
• MSSQLServerOLAPService
• MsDtsServer100
• ReportServer
• SQLTELEMETRY$HL
• TMBMServer
• MSSQL$PROGID
• MSSQL$WOLTERSKLUWER
• SQLAgent$PROGID
• SQLAgent$WOLTERSKLUWER
• MSSQLFDLauncher$OPTIMA
• MSSQL$OPTIMA
• SQLAgent$OPTIMA
• ReportServer$OPTIMA
• msftesql$SQLEXPRESS
• postgresql-x64-9.4
• WRSVC
• ekrn
• ekrnEpsw
• klim6
• AVP18.0.0
• KLIF
• klpd
• klflt
• klbackupdisk
• klbackupflt
• klkbdflt
• klmouflt
• klhk
• KSDE1.0.0
• kltap
• ScSecSvc
• Core Mail Protection
• Core Scanning Server
• Core Scanning ServerEx
• Online Protection System
• RepairService
• Core Browsing Protection
• Quick Update Service
• McAfeeFramework
• macmnsvc
• masvc
• mfemms
• mfevtp
• TmFilter
• TMLWCSService
• tmusa
• TmPreFilter
• TMSmartRelayService
• TMiCRCScanService
• VSApiNt
• TmCCSF
• tmlisten
• TmProxy
• ntrtscan
• ofcservice
• TmPfw
• PccNTUpd
• PandaAetherAgent
• PSUAService
• NanoServiceMain
• EPIntegrationService
• EPProtectedService
• EPRedline
• EPSecurityService
• EPUpdateService
• UniFi

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• desktop.ini
• ntuser.dat
• thumbs.db
• iconcache.db
• ntuser.ini
• ntldr
• bootfont.bin
• bootsect.bak
• ntuser.dat.log
• boot.ini
• autorun.inf
• debugLog.txt

It avoids encrypting files with the following strings in their file path:

• msocache
• $$windows.~ws
• system volume information
• intel
• appdata
• perflogs
• programdata
• google
• application data
• tor browser
• boot
• $windows.~bt
• mozilla
• windows.old
• Windows Microsoft.NET
• WindowsPowerShell
• Windows NT
• %Windows%
• Common Files
• Microsoft Security Client
• Internet Explorer
• Reference
• Assemblies
• Windows Defender
• Microsoft ASP.NET
• Core Runtime
• Package
• Store
• Microsoft Help Viewer
• Microsoft MPI
• Windows Kits
• Microsoft.NET
• Windows Mail
• Microsoft Security Client
• Package Store
• Microsoft Analysis Services
• Windows Portable Devices
• Windows Photo Viewer
• Windows Sidebar

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It appends the following extension to the file name of the encrypted files:

• .FARGO3

It leaves text files that serve as ransom notes containing the following text:

• {Drive Letter:}\RECOVERY FILES.txt
• {Encrypted Directory:}\RECOVERY FILES.txt
  

It avoids encrypting files with the following file extensions:

• .msstyles
• .icl
• .idx
• .avast
• .rtp
• .mallox
• .FARGO
• .FARGO2
• .FARGO3
• .sys
• .nomedia
• .dll
• .FARGO4
• .hta
• .cur
• .lock
• .cpl
• .Globeimposter- Alpha865qqz
• .ics
• .hlp
• .com
• .spl
• .msi
• .key
• .mpa
• .rom
• .drv
• .bat
• .386
• .adv
• .diangcab
• .mod
• .scr
• .theme
• .ocx
• .prf
• .cab
• .diagcfg
• .msu
• .cmd
• .ico
• .msc
• .ani
• .icns
• .diagpkg
• .desktopthemepack
• .wpx
• .msp
• .bin
• .themepack
• .shs
• .nls
• .exe
• .lnk
• .ps1
• .fuk
• .kuf