RANSOM_DILMALOCKER.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Desktop%\dilminha.dat
• %Desktop%\background.bmp

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

• %User Profile%\Documents\03cfef087143723d911484f9568dcf63.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %Desktop%\background.bmp

Other Details

This Ransomware encrypts files with the following extensions:

• doc
• docx
• xls
• xlsx
• ppt
• pptx
• pst
• ost
• msg
• eml
• vsd
• vsdx
• txt
• csv
• rtf
• 123
• wks
• wk1
• pdf
• dwg
• onetoc2
• snt
• jpeg
• jpg
• docb
• docm
• dot
• dotm
• dotx
• xlsm
• xlsb
• xlw
• xlt
• xlm
• xlc
• xltx
• xltm
• pptm
• pot
• pps
• ppsm
• ppsx
• ppam
• potx
• potm
• edb
• hwp
• 602
• sxi
• sti
• sldx
• sldm
• gpg
• aes
• ARC
• PAQ
• bz2
• tbk
• bak
• tar
• tgz
• gz
• 7z
• rar
• zip
• backup
• iso
• vcd
• bmp
• png
• gif
• raw
• cgm
• tif
• tiff
• nef
• psd
• ai
• svg
• djvu
• m4u
• m3u
• mid
• wma
• flv
• 3g2
• mkv
• 3gp
• mp4
• mov
• avi
• asf
• mpeg
• vob
• mpg
• wmv
• fla
• swf
• wav
• mp3
• sh
• class
• jar
• java
• rb
• asp
• php
• jsp
• brd
• sch
• dch
• dip
• pl
• vb
• vbs
• ps1
• bat
• cmd
• js
• asm
• h
• pas
• cpp
• c
• cs
• suo
• sln
• ldf
• mdf
• ibd
• myi
• myd
• frm
• odb
• dbf
• db
• mdb
• accdb
• sql
• sqlitedb
• sqlite3
• asc
• lay6
• lay
• mml
• sxm
• otg
• odg
• uop
• std
• sxd
• otp
• odp
• wb2
• slk
• dif
• stc
• sxc
• ots
• ods
• 3dm
• max
• 3ds
• uot
• stw
• sxw
• ott
• odt
• pem
• p12
• csr
• crt
• key
• pfx
• der
• kdbx

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• {Drive Letter}:\

It avoids encrypting files with the following strings in their file path:

• ProgramData
• PerfLogs
• $Recycle.Bin
• Arquivos de Programas
• WINDOWS
• System Volume Information
• Microsoft
• Arquivos de programas

It appends the following extension to the file name of the encrypted files:

• .dilmaV1

It drops the following file(s) as ransom note:

• %Desktop%\RECUPERE_SEUS_ARQUIVOS.html

(Note: %Desktop% is the desktop folder, where it usually is C:\Documents and Settings\{user name}\Desktop in Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\Desktop in Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

NOTES:

This ransomware displays this wallpaper image in %Desktop%\background.bmp

When %Desktop%\RECUPERE_SEUS_ARQUIVOS.html is opened, the following is also displayed: