Ransom.Linux.LIMPOOP.THBACBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other Details

This Ransomware does the following:

• It prints the following upon execution:
  • Encrypted file names
  • Number of encrypted files
  • Number of files skipped
  • Total number of files scanned
  • Total size of encrypted files
  
  

It accepts the following parameters:

• {Path to encrypt} → Required

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .log
• .vmdk
• .vmsd
• .vmem
• .vswp
• .vm
• .db
• .vmx2
• .vmxf
• .vmss
• .vmtx
• .vmtm
• .nvram
• .vsb
• .vbm
• .vlb
• .vrb
• .hlog
• .rar
• .vsm
• .vib
• .vbk
• .zip
• .iso
• .gz
• .tgz
• .bco
• .dump
• .gzip
• .bk
• .bck
• .bkp
• .tmp
• .vmx
• .ova
• .ovf
• .tar
• .mf
• .vmd
• .vmsn

It appends the following extension to the file name of the encrypted files:

• {Original fllename}.{Original extension}.LIMPOPO

It drops the following file(s) as ransom note:

• {Encrypted Directory}/LIMPOPO.txt
  

It avoids encrypting files with the following file extensions:

• .LIMPOPO