RANSOM_KRAKEN.THHBBAH

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{Random Hex}.{Random 3 Hex}.bat -> deletes the malware copy and the .bat
• %ProgramData%\Release.bat
• %ProgramData%\sdel.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, and 8.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData in Windows Vista, 7, and 8.)

It adds the following processes:

• cmd.exe", "/C sc config eventlog start=disabled
• cmd.exe", "/C REG add \"HKLM\SYSTEM\CurrentControlSet\services\eventlog\" / v Start / t REG_DWORD / d 4 / f
• tasklist" /V /FO CSV

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Kraken

It terminates itself if it finds the following processes in the affected system's memory:

• Sysinternals: www.sysinternals.com
• wireshark
• EtherD
• EtherDetect
• The Wireshark Network Analyzer
• dumpcap
• sysAnalyzer
• TCPView
• C:\Program Files\Wireshark\
• NETSTAT
• sniff_hit

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Console
WordLoad = 1

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvcagntsvc
• agntsvcencsvc
• agntsvcisqlplussvc
• dbeng50
• dbsnmp
• firefoxconfig
• msftesql
• mydesktopqos
• mydesktopservice
• mysqld
• mysqld-nt
• mysqld-opt
• ocomm
• ocssd
• oracle
• sqbcoreservice
• sqlagent
• sqlbrowser
• sqlservr
• sqlwriter
• sqlwb
• synctime
• tbirdconfig
• xfssvccon
• notepad

Other Details

This Ransomware connects to the following URL(s) to get the affected system's IP address:

• https://ipinfo.io/json

It does the following:

• Will not proceed if the keyboard layout contains one of the following value:
  • 1058 = Ukrainian
  • 1059 = Belarusian
  • 1061 = Estonian
  • 1062 = Latvian
  • 1063 = Lithuanian
  • 1064 = Tajik
  • 1065 = Persian
  • 1067 = Armenian
  • 1068 = Azeri (Latin)
  • 1079 = Georgian
  • 1087 = Kazakh
  • 1088 = Kyrgyz (Cyrillic)
  • 1090 = Turkmen
  • 1091 = Uzbek (Latin)
  • 1092 = Tatar
• Will not encrypt if the user's IP is from the following country:
  • am = Armenia
  • az = Azerbaijan
  • by = Belarus
  • ee = Estonia
  • ge = Georgia
  • ir = Iran
  • kg = Kyrgyzstan
  • kz = Kazakhstan
  • lt = Lithuania
  • lv = Latvia
  • md = Moldova
  • ru = Russia
  • tj = Tajikistan
  • tm = Turkmenistan
  • ua = Ukraine
  • uz = Uzbekistan
• executes the following if appcheck.exe is running:
  • cmd.exe", "/C reg add \"HKLM\\SOFTWARE\\CheckMAL\\AppCheck\" /v ProductVersion /t REG_SZ /d \"Please contact with \"Kraken Cryptor\" support for decrypt your files.\" /f
  • cmd.exe", "/C reg add \"HKLM\\SOFTWARE\\CheckMAL\\AppCheck\" /v RansomBackupExt/t REG_SZ /d \"NULL\" /f
  • cmd.exe", "/C reg add \"HKLM\\SOFTWARE\\CheckMAL\\AppCheck\" /v RansomBackupExt/t REG_SZ /d \"NULL\" /f
  • cmd.exe", "/C taskkill /F /IM appcheck.exe
• Encrypts the Fix and Removable Drives and Network Drives
• Deletes shadowcopy

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .1cd
• .3dm
• .3ds
• .3fr
• .3g2
• .3gp
• .3pr
• .7z
• .7zip
• .aac
• .ab4
• .abd
• .accdb
• .accde
• .accdr
• .accdt
• .ach
• .acr
• .act
• .adb
• .adp
• .ads
• .agdl
• .ai
• .aiff
• .ait
• .al
• .aoi
• .apj
• .arw
• .ascx
• .asf
• .asm
• .asp
• .aspx
• .asx
• .atb
• .avi
• .awg
• .back
• .backup
• .backupdb
• .bak
• .bank
• .bay
• .bdb
• .bgt
• .bik
• .bin
• .bkp
• .blend
• .bmp
• .bpw
• .c
• .cdb
• .cdf
• .cdr
• .cdr3
• .cdr4
• .cdr5
• .cdr6
• .cdrw
• .cdx
• .ce1
• .ce2
• .cer
• .cfg
• .cfn
• .cgm
• .cib
• .class
• .cls
• .cmt
• .config
• .contact
• .cpi
• .cpp
• .cr2
• .craw
• .crt
• .crw
• .cs
• .csh
• .csl
• .css
• .csv
• .dac
• .dat
• .db
• .db3
• .dbf
• .dbx
• .db_journal
• .dc2
• .dcr
• .dcs
• .ddd
• .ddoc
• .ddrw
• .dds
• .def
• .der
• .des
• .design
• .dgc
• .dit
• .djvu
• .dng
• .doc
• .docm
• .docx
• .dot
• .dotm
• .dotx
• .drf
• .drw
• .dtd
• .dwg
• .dxb
• .dxf
• .dxg
• .edb
• .eml
• .eps
• .erbsql
• .erf
• .exf
• .fdb
• .ffd
• .fff
• .fh
• .fhd
• .fla
• .flac
• .flb
• .flf
• .flv
• .flvv
• .fpx
• .fxg
• .gif
• .gray
• .grey
• .groups
• .gry
• .h
• .hbk
• .hdd
• .hpp
• .html
• .ibank
• .ibd
• .ibz
• .idx
• .iif
• .iiq
• .incpas
• .indd
• .info
• .info_
• .ini
• .jar
• .java
• .jnt
• .jpe
• .jpeg
• .jpg
• .js
• .json
• .kc2
• .kdbx
• .kdc
• .key
• .kpdx
• .kwm
• .laccdb
• .lck
• .ldf
• .lit
• .lock
• .log
• .lua
• .m
• .m2ts
• .m3u
• .m4p
• .m4v
• .mab
• .mapimail
• .max
• .mbx
• .md
• .mdb
• .mdc
• .mdf
• .mef
• .mfw
• .mid
• .mkv
• .mlb
• .mmw
• .mny
• .moneywell
• .mos
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mrw
• .msf
• .msg
• .myd
• .nd
• .ndd
• .ndf
• .nef
• .nk2
• .nop
• .nrw
• .ns2
• .ns3
• .ns4
• .nsd
• .nsf
• .nsg
• .nsh
• .nvram
• .nwb
• .nx2
• .nxl
• .nyf
• .oab
• .obj
• .odb
• .odc
• .odf
• .odg
• .odm
• .odp
• .ods
• .odt
• .ogg
• .oil
• .omg
• .orf
• .ost
• .otg
• .oth
• .otp
• .ots
• .ott
• .p7b
• .p7c
• .p12
• .pab
• .pages
• .pas
• .pat
• .pbf
• .pcd
• .pct
• .pdb
• .pdd
• .pdf
• .pef
• .pem
• .pfx
• .php
• .pif
• .pl
• .plc
• .plus_muhd
• .pm!
• .pm
• .pmi
• .pmj
• .pml
• .pmm
• .pmo
• .pmr
• .pnc
• .pnd
• .png
• .pnx
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppsm
• .ppsx
• .ppt
• .pptm
• .pptm
• .pptx
• .prf
• .ps
• .psafe3
• .psd
• .pspimage
• .pst
• .ptx
• .pwm
• .py
• .qba
• .qbb
• .qbm
• .qbr
• .qbw
• .qbx
• .qby
• .qcow
• .qcow2
• .qed
• .qtb
• .r3d
• .raf
• .rar
• .rat
• .raw
• .rdb
• .rm
• .rtf
• .rvt
• .rw2
• .rwl
• .rwz
• .s3db
• .safe
• .sas7bdat
• .sav
• .save
• .say
• .sd0
• .sda
• .sdb
• .sdf
• .sh
• .sldm
• .sldx
• .sql
• .sqlite
• .sqlite-shm
• .sqlite-wal
• .sqlite3
• .sqlitedb
• .sr2
• .srb
• .srf
• .srs
• .srt
• .srw
• .st4
• .st5
• .st6
• .st7
• .st8
• .stc
• .std
• .sti
• .stm
• .stw
• .stx
• .svg
• .swf
• .sxc
• .sxd
• .sxg
• .sxi
• .sxm
• .sxw
• .tbb
• .tbn
• .tex
• .tga
• .thm
• .tlg
• .tlx
• .txt
• .usr
• .vbox
• .vdi
• .vhd
• .vhdx
• .vmdk
• .vmsd
• .vmx
• .vmxf
• .vob
• .wab
• .wad
• .wallet
• .war
• .wav
• .wb2
• .wma
• .wmf
• .wmv
• .wpd
• .wps
• .x3f
• .x11
• .xis
• .xla
• .xlam
• .xlk
• .xlm
• .xlr
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .ycbcra
• .yuv
• .zip

It avoids encrypting files with the following strings in their file name:

• bootsect.bak
• desktop.ini
• iconcache.db
• ntuser.dat
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• system volume information
• $windows.~bt
• boot
• drivers
• program files
• program files (x86)
• programdata
• all users
• windows
• windows.old
• appdata
• programdata
• sample videos
• sample pictures
• sample music
• my videos
• my pictures
• my music
• test folder

It renames encrypted files using the following names:

• {Encrypted File Number}-Lock.onion

It drops the following file(s) as ransom note:

• {Encrypted Folder}\# How to Decrypt Files.txt