Ransom.Win32.NOESCAPE.D

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Application Data%\wallpaper.jpg

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• wmic SHADOWCOPY DELETE /nointeractive
• wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
• wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
• wbadmin DELETE BACKUP -deleteOldest
• wbadmin DELETE BACKUP -keepVersions:0
• vssadmin Delete Shadows /All /Quiet
• bcdedit /set {default} recoveryenabled No
• bcdedit /set {default} bootstatuspolicy ignoreallfailures

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Hash of Machine GUID}

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = 0

(Note: The default value data of the said registry entry is 5.)

It sets the system's desktop wallpaper to the following image:

• %Application Data%\wallpaper.jpg
  

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Culserver
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• QBCFMonitorService
• QBIDPService
• RTVscan
• SavRoam
• VMAuthdService
• VMUSBArbService
• VMnetDHCP
• VMwareHostd
• backup
• ccEvtMgr
• ccSetMgr
• dbeng8
• dbsrv12
• memtas
• mepocs
• msexchange
• msmdsrv
• sophos
• sql
• sqladhlp
• sqlagent
• sqlbrowser
• sqlservr
• sqlwriter
• svc$
• tomcat6
• veeam
• vmware-
• converter
• vmware-usbarbitator64
• vss

It terminates the following processes if found running in the affected system's memory:

• 360doctor
• 360se
• Culture
• Defwatch
• GDscan
• MsDtSrvr
• QBCFMonitorService
• QBDBMgr
• QBIDPService
• QBW32
• RAgui
• RTVscan
• agntsvc
• agntsvcencsvc
• agntsvcisqlplussvc
• anvir
• anvir64
• apache
• axlbridge
• backup
• ccleaner
• ccleaner64
• dbeng50
• dbsnmp
• encsvc
• excel
• far
• fdhost
• fdlauncher
• httpd
• infopath
• isqlplussvc
• java
• kingdee
• msaccess
• msftesql
• mspub
• mydesktopqos
• mydesktopservice
• mysqld-nt
• mysqld-opt
• mysqld
• ncsvc
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• procexp
• qbupdate
• sqbcoreservice
• sql
• sqlagent
• sqlbrowser
• sqlmangr
• sqlserver
• sqlservr
• sqlwriter
• steam
• supervise
• synctime
• taskkill
• tasklist
• tbirdconfig
• thebat
• thunderbird
• tomcat
• tomcat6
• u8
• ufida
• visio
• wdsw
• fsafe
• winword
• wordpad
• wuau
• clt
• wxServer
• wxServerView
• xfssvccon

Information Theft

This Ransomware gathers the following data:

• Host Name
• IP Address

Other Details

This Ransomware does the following:

• Empties Recycle Bin
• It encrypts files from local drives, removable drives, and network shares.

Ransomware Routine

This Ransomware avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• %PROGRAMFILES(x86)%
• %PUBLIC%
• %ProgramData%
• %SYSTEMDRIVE%\Program Files
• %SYSTEMDRIVE%\Users\All Users
• %SYSTEMDRIVE%\Windows
• %TMP%
• %USERPROFILE%\AppData
• AppData
• %AppData%
• EFI
• Intel
• MSOCache
• Mozilla
• Program Files
• ProgramData
• Tor Browser
• Windows
• WINDOWS
• boot
• google
• perflogs
• system volume information
• windows.old

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It drops the following file(s) as ransom note:

• {Ecrypted Directory}\HOW_TO_RECOVER_FILES.txt
• %Desktop%\HOW_TO_RECOVER_FILES.txt
  

It avoids encrypting files with the following file extensions:

• exe
• bat
• bin
• cmd
• com
• cpl
• dat
• dll
• drv
• hta
• ini
• lnk
• lock
• log
• mod
• msc
• msi
• msp
• pif
• prf
• rdp
• scr
• shs
• swp
• sys
• theme