Ransom.Win32.RTMCOMMAND.THKBFBD

This ransomware encrypts all drives except the CD-ROM.

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\img{3 Random Characters}.tmp

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\cmd.exe" /c PING -n 5 127.0.0.1 > NUL && del "{Malware Full Path}" → deletes itself

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\img{3 Random Characters}.tmp

Process Termination

This Ransomware terminates the following services if found on the affected system:

• vss
• sql
• svc$
• memtas
• mepocs
• sophos
• veeam
• backup
• GxVss
• GxBlr
• GxFWD
• GxCVD
• GxCIMgr
• DefWatch
• ccEvtMgr
• ccSetMgr
• SavRoam
• RTVscan
• QBFCService
• QBIDPService
• Intuit
• QuickBooks
• FCS
• QBCFMonitorService
• YooBackup
• YooIT
• zhudongfangyu
• stc_raw_agent
• VSNAPVSS
• VeeamTransportSvc
• VeeamDeploymentService
• VeeamNFSSvc
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• AcrSch2Svc
• AcronisAgent
• CASAD2DWebSvc
• CAARCUpdateSvc

It terminates the following processes if found running in the affected system's memory:

• sql.exe
• oracle.exe
• ocssd.exe.
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• firefox.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• notepad.exe

Other Details

This Ransomware does the following:

• It encrypts all available drives except CDROM
• It does not encrypt files with filesize below 512 Bytes
• It can only encrypt up to 8000 bytes of content only
• Empties Recycle Bin
• If not executed with admins rights, it will relaunch itself as admin using this command:
  
  • %System%\cmd.exe /c ECHO “You must restart the program to resolve a critical error” && start”” ” %System Root%\{Malware Full path}.exe”
• Clear event logs for the following:
  
  • System
  • Application
  • Security

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

It accepts the following parameters:

• -debug: Display debug information

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• windows
• appdata
• application data
• boot
• google
• mozilla
• program files
• program files (x86)
• program data
• system volume information
• tor browser
• windows.old
• intel
• msocache
• perflogs
• x64dbg
• public
• all users
• default

It drops the following file(s) as ransom note:

• {Encrypted Directory}\How To Restore Your Files.txt