RANSOM_HAKUNA.RA
Ransom:Win32/Haknata(Microsoft)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Dropped by other malware, Downloaded from the Internet
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It is capable of encrypting files in the affected system.
TECHNICAL DETAILS
1,427,968 bytes
No
03 Apr 2017
Terminates processes, Displays message/message boxes, Encrypts files
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops the following files:
- {folder of encrypted files}\Recovers files yako.html ← ransom note
Autostart Technique
This Ransomware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Timon and Pumbaa = “{malware path and name} supermetroidrules”
Other Details
This Ransomware renames encrypted files using the following names:
- {original file name}.HakunaMatata
It does the following:
- It encrypts files in all available drives and network shares.
- It stops certain services by executing the following commands:
- WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%BACKP%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%Exchange%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%Firebird%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%MSSQL%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%SBS%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%SQL%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%SharePoint%'CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%postgresql%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%tomcat%'' CALL STOPSERVICE
- WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL ChangeStartMode 'Disabled'
- WMIC SERVICE WHERE 'caption LIKE '%wsbex%'' CALL STOPSERVICE
- net stop MSSQLSERVER
- net stop postgresql-9.0
- net stop FirebirdServerDefaultInstance
- net stop MSExchangeAB
- net stop MSExchangeADTopology
- net stop MSExchangeAntispamUpdate
- net stop MSExchangeEdgeSync
- net stop MSExchangeFBA
- net stop MSExchangeIS
- net stop MSExchangeImap4
- net stop MSExchangeMailSubmission
- net stop MSExchangeMailboxAssistants
- net stop MSExchangeMailboxReplication
- net stop MSExchangeMonitoring
- net stop MSExchangePop3
- net stop MSExchangeProtectedServiceHost
- net stop MSExchangeRPC
- net stop MSExchangeRepl
- net stop MSExchangeSA
- net stop MSExchangeSearch
- net stop MSExchangeServiceHost
- net stop MSExchangeThrottling
- net stop MSExchangeTransport
- net stop MSExchangeTransportLogSearch
- net stop MSSQL$SQLEXPRESS
- net stop wsbexchange
- sc config FirebirdServerDefaultInstance start= disabled
- sc config MSExchangeAB start= disabled
- sc config MSExchangeADTopology start= disabled
- sc config MSExchangeAntispamUpdate start= disabled
- sc config MSExchangeEdgeSync start= disabled
- sc config MSExchangeFBA start= disabled
- sc config MSExchangeFDS start= disabled
- sc config MSExchangeIS start= disabled
- sc config MSExchangeImap4 start= disabled
- sc config MSExchangeMailSubmission start= disabled
- sc config MSExchangeMailboxAssistants start= disabled
- sc config MSExchangeMailboxReplication start= disabled
- sc config MSExchangeMonitoring start= disabled
- sc config MSExchangePop3 start= disabled
- sc config MSExchangeProtectedServiceHost start= disabled
- sc config MSExchangeRPC start= disabled
- sc config MSExchangeRepl start= disabled
- sc config MSExchangeSA start= disabled
- sc config MSExchangeSearch start= disabled
- sc config MSExchangeServiceHost start= disabled
- sc config MSExchangeThrottling start= disabled
- sc config MSExchangeTransport start= disabled
- sc config MSExchangeTransportLogSearch start= disabled
- sc config MSSQL$SQLEXPRESS start= disabled
- sc config MSSQLSERVER start= disabled
- sc config postgresql-9.0 start= disabled
- sc config wsbexchange start= disabled
- It delets shadow copies by executing the following commands:
- vssadmin.exe Delete Shadows /All /Quiet
- It terminates the following process by executing the following commands:
- taskkill /IM fb_inet_server.exe /F
- taskkill /IM pg_ctl.exe /F
- taskkill /IM sqlservr.exe /F
- It executes the following command to clear events logs:
- wevtutil cl Application
- wevtutil cl security
- wevtutil cl setup
- wevtutil cl system
- It avoids encrypting files with the following strings:
- *.exe
- *.dll
- *.lnk
- *.bat
- *.ini
- *.msi
- *.scf
- *pagefile.sys*
- *NTUSER.DAT*
- *Atheros*
- *Realtek*
- *bootmgr*
- *boot*
- *boot*
- *CONFIG.SYS*
- *IO.SYS*
- *MSDOS.SYS*
- *NTDETECT.COM*
- *ntldr*
- *chrome*
- *opera*
- *firefox*
- *AppData*
- *\winrar\*
- *\Internet Explorer\*
- *\java\*
- *\TeamViewer\*
- *\windows\*
- *\ESET\*
- *\AVG\*
- *\AVIRA\*
- *\AVAST Software\*
It is capable of encrypting files in the affected system.
NOTES:
The dropped ransom note contains the following:
SOLUTION
9.850
13.309.50
30 Mar 2017
13.310.00
31 Mar 2017
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Timon and Pumbaa = “{malware path and name} supermetroidrules”
- Timon and Pumbaa = “{malware path and name} supermetroidrules”
Step 5
Search and delete these files
- {folder of encrypted files}\Recovers files yako.html
Step 6
Restart in normal mode and scan your computer with your Trend Micro product for files detected as RANSOM_HAKUNA.RA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 7
Restore encrypted files from backup.
Did this description help? Tell us how we did.