RANSOM_CESLOCKER.THCOHAH

This Ransomware arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. It is capable of encrypting files in the affected system.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %Program Files%\Internet Explorer\iexplore.exe" -nohome ← Command to set the Internet Explorer's home page disabled

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), 7 (32-bit), and 8 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), 7 (64-bit), and 8 (64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• HhQVyWJgqt

Information Theft

This Ransomware gathers the following data:

• User Name
• System Processor
• System Locale ID
• OS Version
• System Language

Other Details

This Ransomware connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.125.1-176.10.125.254
• {BLOCKED}.{BLOCKED}.126.1-176.10.126.254
• {BLOCKED}.{BLOCKED}.127.1-176.10.127.254

It does the following:

• It skips to encrypt the following paths:
  • $recycle.bin
  • systemvolumeinformation
  • temporaryinternetfiles
  • programfiles
  • programdata
  • programfiles(x86)
  • windows
  • microsoft
  • appdata
  • localsettings
  • recycler
  • msocache

It is capable of encrypting files in the affected system.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .1cd
• .3ds
• .3gp
• .accdb
• .ai
• .ape
• .asp
• .aspx
• .bc6
• .bc7
• .bmp
• .cdr
• .cer
• .cfg
• .cfgx
• .cpp
• .cr2
• .crt
• .crw
• .csr
• .csv
• .dbf
• .dbx
• .dcr
• .dfx
• .dib
• .djvu
• .doc
• .docm
• .docx
• .dwg
• .dwt
• .dxf
• .dxg
• .eps
• .htm
• .html
• .ibank
• .indd
• .jfif
• .jpe
• .jpeg
• .jpg
• .kdc
• .kwm
• .max
• .md
• .mdb
• .mdf
• .odb
• .odc
• .odm
• .odp
• .ods
• .odt
• .orf
• .p12
• .p7b
• .p7c
• .pdf
• .pef
• .pem
• .pfx
• .php
• .pl
• .png
• .pps
• .ppt
• .pptm
• .pptx
• .psd
• .pst
• .pub
• .pwm
• .py
• .qbb
• .qbw
• .raw
• .rtf
• .sln
• .sql
• .sqlite
• .svg
• .tif
• .tiff
• .txt
• .vcf
• .wallet
• .wpd
• .xls
• .xlsm
• .xlsx
• .xml

It appends the following extension to the file name of the encrypted files:

• .{Random Characters}

It drops the following file(s) as ransom note:

• {Encrypted Folder}\=_HOW_TO_FIX_{Random Characters}.html
  
• {Encrypted Folder}\=_HOW_TO_FIX_{Random Characters}.txt
  
• {Encrypted Fodler}\=_HOW_TO_FIX_{Random Characters}.url