Ransom.Win64.RUTHENS.THLABBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• wmic.exe shadowcopy delete
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• wbadmin.exe delete systemstatebackup -keepVersions:3
• wbadmin.exe delete systemstatebackup
• bcdedit.exe /set {default} recoveryenabled No
• vssadmin.exe delete shadows /all /quiet
• wbadmin.exe delete catalog-quiet
• notepad.exe {Drive}:\Contact Us.txt

Process Termination

This Ransomware terminates the following services if found on the affected system:

• mepocs
• memtas
• veeam
• svc$
• backup
• sql
• vss
• msexchange
• vmm
• vmwp

It terminates the following processes if found running in the affected system's memory:

• encsvc
• thebat
• mydesktopqos
• xfssvccon
• firefox
• infopath
• winword
• steam
• synctime
• notepad
• ocomm
• onenote
• mspub
• thunderbird
• agntsvc
• sql
• excel
• powerpnt
• outlook
• wordpad
• dbeng50
• isqlplussvc
• sqbcoreservice
• oracle
• ocautoupds
• dbsnmp
• msaccess
• tbirdconfig
• ocssd
• mydesktopservice
• visio

Other Details

This Ransomware does the following:

• It accepts the following argument:
  • -c {username}:{password} → Required. Specifies the username and password to access the contact page
  • -a, -attach, --attach → Enables logging
  • -A, -no-aggressive, --no-aggressive → Disables the deletion of backups and recovery
  • -E, -no-extension, --no-extension → Disables appending of extension to files
  • -m, -min-size, --min-size → Specifies the minimum file size for encryption (in bytes)
  • {File or Path to encrypt} → Encrypts a specific file or directory
• It encrypts fixed, removable, and network drives.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• bootfont.bin
• boot.ini
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• Contact Us.txt

It avoids encrypting files with the following strings in their file path:

• perflogs
• appdata
• $windows.~bt
• windows.old
• $windows.~ws
• msocache
• mozilla
• tor browser
• $recycle.bin
• windows
• windows nt
• intel
• all users
• internet explorer
• default
• boot
• system volume information
• config.msi
• google

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.locked

It drops the following file(s) as ransom note:

• {Encrypted Directory}\Contact Us.txt
• {Drive}:\Contact Us.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• shs
• spl
• sys
• theme
• themepack
• wpx