Ransom.Linux.KUIPER.THAAHBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Ransomware does the following:

• It prints the number of processors and execution logs to the console.
  
• It checks if the file size is greater than 4,493,148,150 bytes. Only a certain percentage of the file will be encrypted.
• It checks if the file extension is any of the following. These files will be encrypted in its entirety regardless of the file size.
  • .sql
  • .txt
  • .db
  • .json

It accepts the following parameters:

• -help → Displays the help menu.
• -kill {yes|no} → Kill loop for taskmgr, cmd, regedit, powershell. (Default: no)
• -note {yes|no} → Paste note after directory change and encryption. (Default: yes)
• -p {path} → Target folder to encrypt files
• -reboot {yes|no} → Reboot after end encryption of all files or disks. (Default: yes)
• -rename {yes|no} → Rename file after encryption. (Default: yes)
• -bm {yes|no} → Encrypt big files first (Default: yes)

Ransomware Routine

This Ransomware avoids encrypting files found in the following folders:

• /bin
• /boot
• /dev
• /etc
• /initrd
• /lib
• /lib64
• /libx32
• /opt
• /proc
• /root
• /run
• /sbin
• /srv
• /sys
• /tmp
• /usr/
• /var

It appends the following extension to the file name of the encrypted files:

• .kuiper

It drops the following file(s) as ransom note:

• {Encrypted directory}\README_TO_DECRYPT.txt
  

It avoids encrypting files with the following file extensions:

• .bak
• .bat
• .bin
• .blf
• .cfg
• .cmd
• .com
• .dat
• .dll
• .elf
• .exe
• .ini
• .lnk
• .msi
• .rtf
• .sys
• .tmp