Ransom.MSIL.SMINAJ.THCOFBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops and executes the following files:

• %User Temp%\{6 Random Characters}.bat → used to delete the Ransomware sample and this batch file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• vssadmin.exe Delete Shadows /All /Quiet
• bcdedit.exe /set {default} recoveryenabled No
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• wbadmin DELETE SYSTEMSTATEBACKUP
• wbadmin DELETE sYSTEMSTATEBACKUP-deleteOldest
• wmic.exe SHADOWCOPY /nointeractive
• wevtutil.exe cl "{Logname}" → clears event logs
  Lognames:
  • ACEEventLog
  • Application
  • HardwareEvents
  • Internet Explorer
  • Key Management Service
  • Media Center
  • Microsoft-Windows-API-Tracing/Operational
  • Microsoft-Windows-AppID/Operational
  • Microsoft-Windows-Application-Experience/Problem-Steps-Recorder
  • Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
  • Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
  • Microsoft-Windows-Application-Experience/Program-Inventory
  • Microsoft-Windows-Application-Experience/Program-Telemetry
  • Microsoft-Windows-AppLocker/EXE and DLL
  • Microsoft-Windows-AppLocker/MSI and Script
  • Microsoft-Windows-Audio/CaptureMonitor
  • Microsoft-Windows-Audio/Operational
  • Microsoft-Windows-Authentication User Interface/Operational
  • Microsoft-Windows-Backup
  • Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
  • Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
  • Microsoft-Windows-Bits-Client/Operational
  • Microsoft-Windows-Bluetooth-MTPEnum/Operational
  • Microsoft-Windows-BranchCache/Operational
  • Microsoft-Windows-BranchCacheSMB/Operational
  • Microsoft-Windows-CodeIntegrity/Operational
  • Microsoft-Windows-CorruptedFileRecovery-Client/Operational
  • Microsoft-Windows-CorruptedFileRecovery-Server/Operational
  • Microsoft-Windows-DateTimeControlPanel/Operational
  • Microsoft-Windows-DeviceSync/Operational
  • Microsoft-Windows-Dhcp-Client/Admin
  • Microsoft-Windows-DhcpNap/Admin
  • Microsoft-Windows-Dhcpv6-Client/Admin
  • Microsoft-Windows-Diagnosis-DPS/Operational
  • Microsoft-Windows-Diagnosis-PCW/Operational
  • Microsoft-Windows-Diagnosis-PLA/Operational
  • Microsoft-Windows-Diagnosis-Scheduled/Operational
  • Microsoft-Windows-Diagnosis-Scripted/Admin
  • Microsoft-Windows-Diagnosis-Scripted/Operational
  • Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
  • Microsoft-Windows-Diagnostics-Networking/Operational
  • Microsoft-Windows-Diagnostics-Performance/Operational
  • Microsoft-Windows-DiskDiagnostic/Operational
  • Microsoft-Windows-DiskDiagnosticDataCollector/Operational
  • Microsoft-Windows-DiskDiagnosticResolver/Operational
  • Microsoft-Windows-DriverFrameworks-UserMode/Operational
  • Microsoft-Windows-EapHost/Operational
  • Microsoft-Windows-EventCollector/Operational
  • Microsoft-Windows-Fault-Tolerant-Heap/Operational
  • Microsoft-Windows-FMS/Operational
  • Microsoft-Windows-Folder Redirection/Operational
  • Microsoft-Windows-Forwarding/Operational
  • Microsoft-Windows-GroupPolicy/Operational
  • Microsoft-Windows-Help/Operational
  • Microsoft-Windows-HomeGroup Control Panel/Operational
  • Microsoft-Windows-HomeGroup Listener Service/Operational
  • Microsoft-Windows-HomeGroup Provider Service/Operational
  • Microsoft-Windows-IKE/Operational
  • Microsoft-Windows-International/Operational
  • Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
  • Microsoft-Windows-Iphlpsvc/Operational
  • Microsoft-Windows-Kernel-EventTracing/Admin
  • Microsoft-Windows-Kernel-Power/Thermal-Operational
  • Microsoft-Windows-Kernel-StoreMgr/Operational
  • Microsoft-Windows-Kernel-WDI/Operational
  • Microsoft-Windows-Kernel-WHEA/Errors
  • Microsoft-Windows-Kernel-WHEA/Operational
  • Microsoft-Windows-Known Folders API Service
  • Microsoft-Windows-LanguagePackSetup/Operational
  • Microsoft-Windows-MCT/Operational
  • Microsoft-Windows-MemoryDiagnostics-Results/Debug
  • Microsoft-Windows-MUI/Admin
  • Microsoft-Windows-MUI/Operational
  • Microsoft-Windows-NCSI/Operational
  • Microsoft-Windows-NetworkAccessProtection/Operational
  • Microsoft-Windows-NetworkAccessProtection/WHC
  • Microsoft-Windows-NetworkLocationWizard/Operational
  • Microsoft-Windows-NetworkProfile/Operational
  • Microsoft-Windows-NlaSvc/Operational
  • Microsoft-Windows-NTLM/Operational
  • Microsoft-Windows-OfflineFiles/Operational
  • Microsoft-Windows-ParentalControls/Operational
  • Microsoft-Windows-PeopleNearMe/Operational
  • Microsoft-Windows-PowerShell/Operational
  • Microsoft-Windows-PrintService/Admin
  • Microsoft-Windows-ReadyBoost/Operational
  • Microsoft-Windows-ReadyBoostDriver/Operational
  • Microsoft-Windows-Recovery/Operational
  • Microsoft-Windows-ReliabilityAnalysisComponent/Operational
  • Microsoft-Windows-RemoteApp and Desktop Connections/Admin
  • Microsoft-Windows-RemoteAssistance/Admin
  • Microsoft-Windows-RemoteAssistance/Operational
  • Microsoft-Windows-Resource-Exhaustion-Detector/Operational
  • Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
  • Microsoft-Windows-Resource-Leak-Diagnostic/Operational
  • Microsoft-Windows-RestartManager/Operational
  • Microsoft-Windows-Security-Audit-Configuration-Client/Operational
  • Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
  • Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  • Microsoft-Windows-TerminalServices-PnPDevices/Admin
  • Microsoft-Windows-TerminalServices-PnPDevices/Operational
  • Microsoft-Windows-TerminalServices-RDPClient/Operational
  • Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  • Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  • Microsoft-Windows-TZUtil/Operational
  • Microsoft-Windows-UAC/Operational
  • Microsoft-Windows-UAC-FileVirtualization/Operational
  • Microsoft-Windows-User Profile Service/Operational
  • Microsoft-Windows-VDRVROOT/Operational
  • Microsoft-Windows-VHDMP/Operational
  • Microsoft-Windows-WER-Diag/Operational
  • Microsoft-Windows-WFP/Operational
  • Microsoft-Windows-Windows Defender/Operational
  • Microsoft-Windows-Windows Defender/WHC
  • Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity
  • Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
  • Microsoft-Windows-WindowsBackup/ActionCenter
  • Microsoft-Windows-WindowsSystemAssessmentTool/Operational
  • Microsoft-Windows-WindowsUpdateClient/Operational
  • Microsoft-Windows-Winlogon/Operational
  • Microsoft-Windows-WinRM/Operational
  • Microsoft-Windows-Winsock-WS2HELP/Operational
  • Microsoft-Windows-Wired-AutoConfig/Operational
  • Microsoft-Windows-WLAN-AutoConfig/Operational
  • Microsoft-Windows-WPD-ClassInstaller/Operational
  • Microsoft-Windows-WPD-CompositeClassDriver/Operational
  • Microsoft-Windows-WPD-MTPClassDriver/Operational
  • ODiag
  • OSession
  • Security
  • Setup
  • System
  • Windows PowerShell

It creates the following folders:

• %Public%\Windows\Ui

(Note: %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• postg
• mysql
• sqls
• sqlw
• onenote
• outlook
• exchange
• visio
• oracle
• powerpnt
• mydesk
• excel
• word
• vivo

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .wim
• .dmp
• .myo
• .fdb
• .key
• .kdbx
• .prc
• .arw
• .sv2i
• .v2i
• .xva
• .tm
• .rec
• .mts
• .MTS
• .frm
• .myi
• .vhdx
• .rdpv
• .ezip
• .sshv
• .edb
• .bco
• .vbm
• .vbk
• .vib
• .img
• .7z
• .aac
• .accdb
• .accde
• .accdr
• .accdt
• .adt
• .adts
• .aif
• .aifc
• .aiff
• .asp
• .aspx
• .avi
• .bak
• .bmp
• .cda
• .classpath
• .cpp
• .cs
• .csv
• .dart
• .dat
• .dif
• .doc
• .docm
• .docx
• .dot
• .dotx
• .eml
• .eps
• .flv
• .gitignore
• .go
• .gz
• .h
• .htm
• .html
• .ibd
• .java
• .jpeg
• .jpg
• .js
• .json
• .jsp
• .kt
• .lua
• .m4a
• .mdb
• .mdf
• .ldf
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .myd
• .pdf
• .php
• .pl
• .png
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsx
• .ppt
• .pptm
• .project
• .psd
• .pst
• .pub
• .py
• .rar
• .rb
• .rs
• .rtf
• .scala
• .sh
• .sldm
• .sldx
• .sql
• .svn
• .swf
• .swift
• .tar
• .vb
• .vob
• .vsd
• .vsdm
• .vsdx
• .vss
• .vssm
• .vst
• .vstm
• .vstx
• .wav
• .wbk
• .wks
• .wma
• .wmd
• .wms
• .wmv
• .wmz
• .wp5
• .wpd
• .xla
• .xlam
• .xls
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xps
• .mxf
• .3g2
• .3gp
• .7z
• .aac
• .ac3
• .aep
• .aepx
• .aet
• .aif
• .aifc
• .aiff
• .amr
• .ape
• .arc
• .arj
• .asf
• .asp
• .aspx
• .asx
• .au
• .avi
• .b64
• .bat
• .bh
• .bmp
• .btoa
• .bz2
• .c
• .cab
• .caf
• .cda
• .CDDA
• .cdr
• .cfg
• .chm
• .cpp
• .cpt
• .cptx
• .cr2
• .csh
• .css
• .csv
• .cue
• .dat
• .db
• .dbf
• .dds
• .deb
• .divx
• .dmg
• .doc
• .docx
• .dot
• .dotx
• .dpx
• .dss
• .dst
• .dts
• .dv
• .DWG
• .dwg
• .dxf
• .eac3
• .eml
• .eps
• .flac
• .fli
• .flv
• .gif
• .gz
• .gzip
• .hqx
• .htm
• .html
• .iff
• .indd
• .iso
• .jar
• .java
• .jpeg
• .jpg
• .js
• .json
• .jsp
• .jspx
• .kdc
• .log
• .ltx
• .m2a
• .m2v
• .m3u
• .m4a
• .m4b
• .m4p
• .m4r
• .m4v
• .max
• .md
• .mdb
• .mef
• .mht
• .mhtml
• .mid
• .MIDI
• .midi
• .mjs
• .mkv
• .mov
• .mp2
• .mp3
• .mp4
• .mpc
• .mpeg
• .mpg
• .mrw
• .msv
• .nb
• .nef
• .nrw
• .odb
• .odf
• .odg
• .odp
• .ods
• .odt
• .ogg
• .ogm
• .ogv
• .oma
• .omg
• .opus
• .orf
• .ost
• .otf
• .pac
• .pages
• .pb
• .pbk
• .pcast
• .pdf
• .pef
• .php
• .pl
• .pls
• .png
• .ppt
• .pptx
• .ps
• .psd
• .PST
• .pst
• .pub
• .pva
• .py
• .qt
• .ra
• .ram
• .rar
• .raw
• .rb
• .rm
• .rmi
• .rmvb
• .rtf
• .rw2
• .rwl
• .shtml
• .snd
• .spx
• .sql
• .srf
• .srt
• .svg
• .swf
• .tar
• .tbk
• .tex
• .TGA
• .tga
• .tgz
• .thd
• .tif
• .tiff
• .tivo
• .torrent
• .tp
• .ts
• .tta
• .ttf
• .txt
• .vob
• .voc
• .vp6
• .vp7
• .vsd
• .w64
• .wav
• .wbmp
• .webm
• .webp
• .wma
• .wmf
• .wmv
• .woff
• .wpd
• .wpl
• .wps
• .wtv
• .x3f
• .xa
• .xcf
• .xhtml
• .xla
• .xlam
• .xls
• .xlsx
• .xm
• .xmp
• .xpi
• .zip

It avoids encrypting files with the following strings in their file name:

• .lsoc
• un-lock

It avoids encrypting files with the following strings in their file path:

• Program Files
• ProgramData
• Windows
• PerfLogs
• recovery
• Recycle
• $

It appends the following extension to the file name of the encrypted files:

• .lsoc

It drops the following file(s) as ransom note:

• %Public%\Windows\Ui\un-lock your files.html → file attribute set to HIDDEN | SYSTEM
• %User Startup%\un-lock your files.html
• %Desktop%\un-lock your files.html
• %Start Menu%\un-lock your files.html
• {Encrypted Drive}:\un-lock your files.html