Ransom.Win32.PHOBOS.JSHSMR

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %AppDataLocal%\{Malware Filename}.exe

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• netsh advfirewall set currentprofile state off
• netsh firewall set opmode mode=disable
• "%System%\mshta.exe" "%Desktop%\info.hta"
• "%System%\mshta.exe" "%Public%\Desktop\info.hta"

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\<>{Volume Serial Number}00000000
• Global\<>{Volume Serial Number}00000001

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware Filename} = %AppDataLocal%\{Malware Filename}.exe

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware Filename} = %AppDataLocal%\{Malware Filename}.exe

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\{Malware Filename}.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

It drops the following file(s) in the Windows Common Startup folder to enable its automatic execution at every system startup:

• %Common Startup%\{Malware Filename}.exe

(Note: %Common Startup% is the startup folder for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• excel.exe
• firefoxconfig.exe
• infopath.exe
• isqlplussvc.exe
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld-nt.exe
• mysqld-opt.exe
• mysqld.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• xfssvccon.exe

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• info.hta
• info.txt
• boot.ini
• bootfont.bin
• ntldr
• ntdetect.com
• iosys
• {Malware Filename}

It avoids encrypting files found in the following folders:

• %Windows%
• %All Users Profile%\microsoft\windows\caches
• %System Root%\Users\admin\microsoft\windows\caches

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It appends the following extension to the file name of the encrypted files:

• {Filename with extension}.id[{Volume Serial Number}-{Generated ID}].[{BLOCKED}ink@aol.com].Caleb

It drops the following file(s) as ransom note:

• %Desktop%\info.hta
• %Public%\Desktop\info.hta
  
• %Desktop%\info.txt
• %Public%\Desktop\info.txt
  

It avoids encrypting files with the following file extensions:

• .4dd
• .4dl
• .abs
• .abx
• .accdb
• .accdc
• .accde
• .adb
• .adf
• .ckp
• .db
• .db-journal
• .db-shm
• .db-wal
• .db2
• .db3
• .dbc
• .dbf
• .dbs
• .dbt
• .dbv
• .dcb
• .dp1
• .eco
• .edb
• .epim
• .fcd
• .fdb
• .gdb
• .ldf
• .mdb
• .mdf
• .myd
• .ndf
• .nwdb
• .nyf
• .sql
• .sqlite
• .sqlite3
• .sqlitedb
• .actin
• .acton
• .actor
• .acuff
• .acuna
• .acute
• .adage
• .adair
• .adame
• .banhu
• .banjo
• .banks
• .banta
• .barak
• .bbc
• .blend
• .bqux
• .caleb
• .cales
• .caley
• .calix
• .calle
• .calum
• .calvo
• .capital
• .com
• .ddos
• .deuce
• .dever
• .devil
• .devoe
• .devon
• .devos
• .dewar
• .eight
• .eject
• .eking
• .elbie
• .elbow
• .elder
• .help
• .karlos
• .karma
• .mamba
• .phobos
• .phoenix
• .plut
• .wallet