Ransom_FILESLOCKER.THAABGAH

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

Other System Modifications

This Ransomware sets the system's desktop wallpaper to the following image:

• %Desktop%\WallPaper.bmp
  

Download Routine

This Ransomware accesses the following websites to download files:

• http://{BLOCKED}e.co.nz/i/bltujirf.pto.bmp

It saves the files it downloads using the following names:

• %Desktop%\WallPaper.bmp

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista, 7, and 8.)

Other Details

This Ransomware encrypts files with the following extensions:

• .gif
• .apk
• .groups
• .hdd
• .hpp
• .log
• .m2ts
• .m4p
• .mkv
• .mpeg
• .epub
• .yuv
• .ndf
• .nvram
• .ogg
• .ost
• .pab
• .pdb
• .pif
• .png
• .qed
• .qcow
• .otp
• .s3db
• .qcow2
• .rvt
• .st7
• .stm
• .vbox
• .vdi
• .vhd
• .vhdx
• .vmdk
• .vmsd
• .psafe3
• .vmx
• .vmxf
• .3fr
• .3pr
• .ab4
• .accde
• .accdr
• .accdt
• .ach
• .acr
• .sd0
• .sxw
• .adb
• .advertisements
• .agdl
• .ait
• .apj
• .asm
• .awg
• .back
• .backup
• .sti
• .oil
• .backupdb
• .bay
• .bdb
• .bgt
• .bik
• .bpw
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .ycbcra
• .cdrw
• .ce1
• .ce2
• .cib
• .craw
• .crw
• .csh
• .csl
• .db_journal
• .dc2
• .pptm
• .dcs
• .ddoc
• .ddrw
• .der
• .des
• .dgc
• .djvu
• .dng
• .drf
• .eml
• .ppt
• .erbsql
• .erf
• .exf
• .ffd
• .fh
• .fhd
• .flp
• .gray
• .grey
• .gry
• .hbk
• .ibd
• .7z
• .ibz
• .iiq
• .incpas
• .jpe
• .kc2
• .kdbx
• .kdc
• .kpdx
• .ldf
• .lua
• .mdc
• .mdf
• .mef
• .config
• .mfw
• .mmw
• .mny
• .mrw
• .myd
• .ndd
• .nef
• .nk2
• .nop
• .vb
• .vip
• .vbs
• .sln
• .dxg
• .bat
• .cmd
• .jar
• .c4d
• .ape
• .nrw
• .ns2
• .ns3
• .ldf
• .ns4
• .nwb
• .nx2
• .nxl
• .nyf
• .odb
• .odf
• .odg
• .odm
• .orf
• .otg
• .oth
• .py
• .ots
• .ott
• .p12
• .p7b
• .p7c
• .pdd
• .pem
• .plus_muhd
• .plc
• .pot
• .pptx
• .py
• .qba
• .qbr
• .qbw
• .qbx
• .qby
• .raf
• .rat
• .raw
• .rdb
• .rwl
• .rwz
• .conf
• .sda
• .sdf
• .sqlite
• .sqlite3
• .sqlitedb
• .sr2
• .srf
• .srw
• .st5
• .st8
• .std
• .stx
• .sxd
• .sxg
• .sxi
• .sxm
• .tex
• .wallet
• .wb2
• .wpd
• .x11
• .x3f
• .xis
• .ARC
• .contact
• .dbx
• .doc
• .docx
• .jnt
• .jpg
• .msg
• .oab
• .ods
• .pdf
• .pps
• .ppsm
• .prf
• .pst
• .rar
• .rtf
• .txt
• .wab
• .xls
• .xlsx
• .xml
• .zip
• .1cd
• .3ds
• .3g2
• .7zip
• .accdb
• .aoi
• .asf
• .asp
• .aspx
• .asx
• .avi
• .bak
• .cer
• .cfg
• .class
• .cs
• .css
• .csv
• .db
• .dds
• .dwg
• .dxf
• .flf
• .flv
• .html
• .idx
• .js
• .key
• .kwm
• .laccdb
• .lit
• .m3u
• .mbx
• .md
• .mdf
• .mid
• .mlb
• .mov
• .mp3
• .mp4
• .mpg
• .obj
• .odt
• .pages
• .php
• .psd
• .pwm
• .rm
• .safe
• .sav
• .save
• .sql
• .srt
• .swf
• .thm
• .vob
• .wav
• .wma
• .wmv
• .xlsb
• .3dm
• .aac
• .ai
• .arw
• .c
• .cdr
• .cls
• .cpi
• .cpp
• .cs
• .db3
• .docm
• .dot
• .dotm
• .dotx
• .drw
• .dxb
• .eps
• .fla
• .flac
• .fxg
• .java
• .jtp
• .m
• .m4v
• .max
• .mdb
• .pcd
• .pct
• .pl
• .potm
• .potx
• .ppam
• .ppsm
• .ppsx
• .pptm
• .ps
• .r3d
• .rw2
• .sldm
• .sldx
• .svg
• .tga
• .wps
• .xla
• .xlam
• .xlm
• .xlr
• .xlsm
• .xlt
• .xltm
• .xltx
• .xlw
• .act
• .adp
• .al
• .dip
• .docb
• .frm
• .gpg
• .jsp
• .lay
• .lay6
• .m4u
• .mml
• .myi
• .onetoc2
• .PAQ
• .ps1
• .sch
• .slk
• .snt
• .suo
• .tgz
• .tif
• .tiff
• .txt
• .uop
• .uot
• .vcd
• .wk1
• .wks
• .xlc

It does the following:

• After encrypting it connects to the following URL(s):
  https://{BLOCKED}er.org/2vMGg5
  • That will redirect and display the following:
    http://image.{BLOCKED}r.com/image/8HOoBEyeRDSNF8QbtaoD0A.png
    
• Displays a message after encrypting files:
  

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• %All Drives% ← Except System Drive, it only encrypts files on the following folders found in System Dive:
  • %Desktop%
  • %Favorites%
  • %All Users Profile%
  • %User Profile%
  • %User Profile%\Desktop
  • %User Profile%\Documents
  • %User Profile%\Downloads
  • %User Profile%\Pictures
  • %User Profile%\Music
  • %User Profile%\Searches
  • %User Profile%\Videos
  • %System Root%\Users
  • %AppDataLocal%\Microsoft\Windows\History

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local on Windows Vista, 7, and 8.)

It appends the following extension to the file name of the encrypted files:

• .[fileslocker@{BLOCKED}m.me]

It drops the following file(s) as ransom note:

• %Desktop%\#解密我的文件#.txt
• {All Drives}\#解密我的文件#.txt
  
• {All Drives}\#DECRYPT MY FILES#.txt
• %Desktop%\#DECRYPT MY FILES#.txt