Ransom.MSIL.THANOS.THFOFBB

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• taskkill /F /IM RaccineSettings.exe
• reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
• reg delete HKCU\Software\Raccine /F
• schtasks /DELETE /TN "Raccine Rules Updater" /F
• cmd.exe /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
• Sc.exe config Dnscache start= auto
• Sc.exe config FDResPub start= auto
• Sc.exe config SSDPSRV start= auto
• Sc.exe config upnphost start= auto
• Sc.exe config SQLTELEMETRY start= disabled
• Sc.exe config SQLTELEMETRY$ECWDB2 start= disabled
• Sc.exe config SQLWriter start= disabled
• Sc.exe config SstpSvc start= disabled
• taskkill.exe /IM mspub.exe /F
• taskkill.exe /IM mydesktopqos.exe /F
• taskkill.exe /IM mydesktopservice.exe /F
• taskkill.exe /IM mysqld.exe /F
• taskkill.exe /IM sqbcoreservice.exe /F
• taskkill.exe /IM firefoxconfig.exe /F
• taskkill.exe /IM agntsvc.exe /F
• taskkill.exe /IM thebat.exe /F
• taskkill.exe /IM steam.exe /F
• taskkill.exe /IM encsvc.exe /F
• taskkill.exe /IM excel.exe /F
• taskkill.exe /IM CNTAoSMgr.exe /F
• taskkill.exe /IM sqlwriter.exe /F
• taskkill.exe /IM tbirdconfig.exe /F
• taskkill.exe /IM dbeng50.exe /F
• taskkill.exe /IM thebat64.exe /F
• taskkill.exe /IM ocomm.exe /F
• taskkill.exe /IM infopath.exe /F
• taskkill.exe /IM mbamtray.exe /F
• taskkill.exe /IM zoolz.exe /F
• taskkill.exe /IM thunderbird.exe /F
• taskkill.exe /IM dbsnmp.exe /F
• taskkill.exe /IM xfssvccon.exe /F
• taskkill.exe /IM mspub.exe /F
• taskkill.exe /IM Ntrtscan.exe /F
• taskkill.exe /IM isqlplussvc.exe /F
• taskkill.exe /IM onenote.exe /F
• taskkill.exe /IM PccNTMon.exe /F
• taskkill.exe /IM msaccess.exe /F
• taskkill.exe /IM outlook.exe /F
• taskkill.exe /IM tmlisten.exe /F
• taskkill.exe /IM msftesql.exe /F
• taskkill.exe /IM powerpnt.exe /F
• taskkill.exe /IM mydesktopqos.exe /F
• taskkill.exe /IM visio.exe /F
• taskkill.exe /IM mydesktopservice.exe /F
• taskkill.exe /IM winword.exe /F
• taskkill.exe /IM mysqld-nt.exe /F
• taskkill.exe /IM wordpad.exe /F
• taskkill.exe /IM mysqld-opt.exe /F
• taskkill.exe /IM ocautoupds.exe /F
• taskkill.exe /IM ocssd.exe /F
• taskkill.exe /IM oracle.exe /F
• taskkill.exe /IM sqlagent.exe /F
• taskkill.exe /IM sqlbrowser.exe /F
• taskkill.exe IM sqlservr.exe /F
• taskkill.exe /IM synctime.exe /F
• powershell.exe & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
• notepad.exe %Desktop%\RESTORE_FILES_INFO.txt
• cmd.exe /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
• cmd.exe "/C choice /C Y /N /D Y /T 3 & Del "{Malware Path}\{Malware Filename}.exe

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\8a3cd836-e8bb-428d-9e0b-d62e18cfe2d4

It loads the following configuration files:

• {Malware Path}\Config.enc

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %Programs%\Startup\reload1.lnk

(Note: %Programs% is the folder that contains the user’s program groups, which is usually C:\Windows\Start Menu\Programs or C:\Documents and Settings\{User name}\Start Menu\Programs on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs on Windows Vista, 7, and 8.)

Other System Modifications

This Ransomware deletes the following files:

• {Malware Path}\Config.enc

It adds the following registry entries:

HKEY_CURRENT_USER\Software\KEYID\
myKeyID
ID1 = {Random}

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\FileSystem
LongPathsEnabled = 1

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• http analyzer stand-alone
• fiddler
• effetech http sniffer
• firesheep
• IEWatch Professional
• dumpcap
• wireshark
• wireshark portable
• sysinternals tcpview
• NetworkMiner
• NetworkTrafficView
• HTTPNetworkSniffer
• tcpdump
• intercepter
• Intercepter-NG
• ollydbg
• x64dbg
• x32dbg
• dnspy
• dnspy-x86
• de4dot
• ilspy
• dotpeek
• dotpeek64
• ida64
• RDG Packer Detector
• CFF Explorer
• PEiD
• protection_id
• LordPE
• pe-sieve
• MegaDumper
• UnConfuserEx
• Universal_Fixer
• NoFuserEx
• cheatengine

Other Details

This Ransomware does the following:

• It encrypts all available drives (except for CDROMs).
• It empties the recycle bin.
• It deletes the following subkeys under {HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options}
  • vssadmin.exe
  • wmic.exe
  • wbadmin.exe
  • bcdedit.exe
  • powershell.exe
  • diskshadow.exe
  • net.exe

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• dat
• txt
• jpeg
• gif
• jpg
• png
• php
• cs
• cpp
• rar
• zip
• html
• htm
• xlsx
• xls
• avi
• mp4
• ppt
• doc
• docx
• sxi
• sxw
• odt
• hwp
• tar
• bz2
• mkv
• eml
• msg
• ost
• pst
• edb
• sql
• accdb
• mdb
• dbf
• odb
• myd
• php
• java
• cpp
• pas
• asm
• key
• pfx
• pem
• p12
• csr
• gpg
• aes
• vsd
• odg
• raw
• nef
• svg
• psd
• vmx
• vmdk
• vdi
• lay6
• sqlite3
• sqlitedb
• java
• class
• mpeg
• djvu
• tiff
• backup
• pdf
• cert
• docm
• xlsm
• dwg
• bak
• qbw
• nd
• tlg
• lgb
• pptx
• mov
• xdw
• ods
• wav
• mp3
• aiff
• flac
• m4a
• csv
• sql
• ora
• mdf
• ldf
• ndf
• dtsx
• rdl
• dim
• mrimg
• qbb
• rtf
• 7z

It avoids encrypting files with the following strings in their file name:

• autoexec.bat
• desktop.ini
• autorun.inf
• ntuser.dat
• NTUSER.DAT
• iconcache.db
• bootsect.bak
• boot.ini
• ntuser.dat.log
• thumbs.db
• bootmgr
• pagefile.sys
• config.sys
• ntuser.ini
• Builder_Log
• RSAKeys
• Config.enc
• RESTORE_FILES_INFO
• Recycle.Bin
• reload1.lnk
• Debug_Log.txt
• UserName={UserName}_MachineName={MachineName}_.txt

It avoids encrypting files with the following strings in their file path:

• C:\Program Files\
• C:\Program Files (x86)\
• :\Windows\
• Perflogs
• internet explorer
• :\ProgramData\
• \AppData\
• msocache
• system volume information
• boot
• tor browser
• mozilla
• appdata
• google chrome
• application data
• Microsoft SQL Server

It appends the following extension to the file name of the encrypted files:

• .NARUMI

It leaves text files that serve as ransom notes containing the following text:

• %Desktop%\RESTORE_FILES_INFO.txt
• %UserTemp%\RESTORE_FILES_INFO.txt
• {Encrypted Directory}\RESTORE_FILES_INFO.txt
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• EXE
• DLL
• .NARUMI