Ransom.Win32.SEKHMET.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information. However, as of this writing, the said sites are inaccessible.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %ProgramData%\syscfg.db
• {Encrypted Directory}\{8 random characters}.lnk -> deleted afterwards

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{16 characters}

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• sqlservr.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• sqlservr.exe
• thebat.exe
• steam.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• QBW32.exe
• QBW64.exe
• ipython.exe
• wpython.exe
• python.exe
• dumpcap.exe
• procmon.exe
• procmon64.exe
• procexp.exe
• procexp64.exe

Other Details

This Ransomware connects to the following website to send and receive information:

• {BLOCKED}.{BLOCKED}.126.81
• {BLOCKED}.{BLOCKED}.126.82
• {BLOCKED}.{BLOCKED}.126.83
• {BLOCKED}.{BLOCKED}.126.84
• {BLOCKED}.{BLOCKED}.126.85
• {BLOCKED}.{BLOCKED}.126.86
• {BLOCKED}.{BLOCKED}.126.87
• {BLOCKED}.{BLOCKED}.126.88
• {BLOCKED}.{BLOCKED}.126.89

It does the following:

• It gathers the following information:
  • Product Name
  • Display Name
  • Drive Info
  • AV Info
  • Computer Name
  • User Name
  • Machine GUID
• It encrypts all available drives including network drives.
• It gathers the following Environment Variable values:
  • ALLUSERSPROFILE
  • APPDATA
  • CommonProgramFiles
  • COMPUTERNAME
  • Comspec
  • FP_NO_HOST_CHECK
  • HOMEDRIVE
  • HOMEPATH
  • LOCALAPPDATA
  • LOGONSERVER
  • NUMBER_OF_PROCESSORS
  • OS
  • Path
  • PROCESSOR_ARCHITECTURE
  • PROCESSOR_IDENTIFIER
  • PROCESSOR_LEVEL
  • PROCESSOR_REVISION
  • ProgramData
  • ProgramFiles
  • PSModulePath
  • PUBLIC
  • SESSIONNAME
  • SystemDrive
  • SystemRoot
  • TEMP
  • TMP
  • USERDOMAIN
  • USERNAME
  • USERPROFILE
  • windir
  • windows_tracing_flags
  • windows_tracing_logfile

However, as of this writing, the said sites are inaccessible.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• desktop.ini
• ntuser.dat
• iconcache.db
• bootsect.bak
• ntuser.dat.log
• thumbs.db
• Bootfont.bin

It avoids encrypting files with the following strings in their file path:

• \Windows
• \Program Files
• \Program Data
• \Tor Browser
• \cache2\entries
• \Low\Content IE5\
• \User Data\Default\Cache
• \All Users

It renames encrypted files using the following names:

• {Encrypted Directory}\{Encrypted file}.{Random characters}

It drops the following file(s) as ransom note:

• {Encrypted Directory}\RECOVER-FILES.txt
  
  

It avoids encrypting files with the following file extensions:

• sys
• exe
• dll
• lnk