Ransom.Win32.HELDOWN.THJAGBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %ProgramData%\xx.ico
• %ProgramData%\1.bat

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following processes:

• cmd /c wmic shadowcopy delete /noninteractive
• cmd /c "vssadmin Delete Shadows /All /Quiet"
• cmd /c %ProgramData%\1.bat
• ping 127.0.0.1 -n 2
• taskkill /f /im sql*
• taskkill /f /im oracle*
• taskkill /f /im mysq*
• taskkill /f /im veeam*
• taskkill /f /im firefox*
• taskkill /f /im excel*
• taskkill /f /im msaccess*
• taskkill /f /im onenote*
• taskkill /f /im outlook*
• taskkill /f /im powerpnt*
• taskkill /f /im winword*
• taskkill /f /im wuauclt*
• cmd /c "taskkill /f /im cmd.exe & taskkill /f /im conhost.exe"
• cmd /c "ping 127.0.0.1 & del %ProgramData%\1.bat & del {Malware File Path}\{Malware File Name} & shutdown -r -f -t 0"

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\Classes\.uQlf
(Default) = uQlfIcon

HKEY_LOCAL_MACHINE\Classes\uQlfIcon\
DefaultIcon
(Default) = %ProgramData%\xx.ico

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\Classes
uQlfIcon =

HKEY_LOCAL_MACHINE\Classes
.uQlf =

Process Termination

This Ransomware terminates the following services if found on the affected system:

• backup
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• memtas
• mepocs
• msexchange
• sophos
• sql
• svc$
• veeam
• vss

It terminates the following processes if found running in the affected system's memory:

• excel
• firefox
• msaccess
• mysq
• onenote
• oracle
• outlook
• powerpnt
• veeam
• winword
• wuauclt

Other Details

This Ransomware encrypts files with the following extensions:

• .ldf
• .mdf
• .pko
• Extensions not in the whitelist

It does the following:

• It changes the encrypted file icon to the following image:
  
• It encrypts network shares.

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• Program Files\Microsoft SQL Server
• Program Files (x86)\Microsoft SQL Server
• Folders not in the whitelist

It avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootmgr
• bootsect.bak
• d3d9caps.dat
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files with the following strings in their file path:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• appdata
• boot
• config.msi
• default
• inetpub
• intel
• microsoft
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It appends the following extension to the file name of the encrypted files:

• .uQlf

It drops the following file(s) as ransom note:

• {Encrypted Path}\Readme.uQlf.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .AlHOqPJT
• .ani
• .azGOWrO
• .bat
• .bfKPKp
• .bin
• .BNNAlE
• .BodtTcy
• .bSzsD
• .BUWSMiK
• .cab
• .CDPhao
• .CgoPb
• .cKFNxjY
• .ckyxN
• .CKzE
• .cmd
• .com
• .cpl
• .CQeew
• .cur
• .DdfoPwvC
• .DEjmSDQe
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .dll
• .dMOAgi
• .dmwe
• .drv
• .DuWP
• .eiowF
• .EKhdzKM
• .eObbg
• .euBqJW
• .eucHUnd
• .exe
• .exTln
• .fHAJkKFD
• .fHrjx
• .fNar
• .FpnUh
• .fXtM
• .Gatpya
• .GbaI
• .GCNcYE
• .GGFtMd
• .gHefG
• .GhXRL
• .GVcIyr
• .gxEuSv
• .HGjAB
• .HgsVQnUC
• .HhWtbN
• .HKTyQ
• .hlp
• .hta
• .huABnaK
• .ibsewNOI
• .icl
• .icns
• .ico
• .ics
• .iCSkVcP
• .idx
• .ipST
• .ISkoqBz
• .iykIj
• .izfvNIo
• .JaImV
• .JhrCrk
• .jjcXWfnl
• .key
• .KIXsYv
• .kRDsqM
• .kRsYZJyQ
• .LENNw
• .liNjEEj
• .lnk
• .lock
• .LZJK
• .LzwE
• .MBhSH
• .mDGs
• .MjVAzUB
• .mod
• .MooOzu
• .mpa
• .mRTanA
• .MRVpcx
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nbhtRyt
• .NbKCPV
• .niSsKNWX
• .nls
• .NlSdI
• .nomedia
• .NScx
• .NWvlhq
• .nWzO
• .OBEEmY
• .ocx
• .Oyfx
• .pdb
• .POrcRK
• .prf
• .ps1
• .Puolu
• .pxtrbnaJ
• .QHMSXf
• .qmoTzFmD
• .QScYYgTO
• .QtJeWT
• .QTTiDhUZ
• .QypnyNT
• .RHlRYeu
• .RlaXjvjK
• .RLpYbR
• .RMkWTRw
• .Rnif
• .rom
• .RQJGa
• .rtp
• .ruIskqo
• .RvXHag
• .sAsVu
• .scpOg
• .scr
• .search-ms
• .shs
• .SKAw
• .spl
• .srem
• .sthOKQU
• .SUaLl
• .sys
• .tblnocn
• .theme
• .themepack
• .tnrKjo
• .TwqMEzmf
• .UNEzGdSD
• .UpPLjwr
• .uQlf
• .uvbg
• .uZjKDqR
• .VbgQJ
• .vKRa
• .vLFew
• .vLuwMjt
• .VQEW
• .vVtHs
• .wBgPqL
• .WChzQ
• .wHOXfI
• .wpx
• .XONIz
• .XuFxtemZ
• .xuiKKV
• .YAKxvkvX
• .YfZxME
• .YgAlwFK
• .YGFhwuZj
• .yLnd
• .yQBFV
• .YSmQZYGF
• .Zbnm
• .zdBLY
• .ZLom
• .ZRDlH
• .zUnjegnM
• .zyucABE