Ransom.Win32.NOESCAPE.THHOCBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %Application Data%\{Malware Filename}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• bcedit /deletevalue safeboot → removes safeboot
• wmic SHADOWCOPY DELETE /nointeractive → deletes shadowcopy without confirmation
• wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest → deletes oldest system state backup
• wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 → deletes all system backup versions
• wbadmin DELETE BACKUP -deleteOldest → deletes oldest backup
• wbadmin DELETE BACKUP -keepVersions:0 → deletes all backup versions
• vssadmin Delete Shadows /all /quiet → deletes all shadow copies without prompt
• bcedit /set {default} recoveryenabled No → disables automatic system recovery
• bcedit /set {default} bootstatuspolicy ignoreallfailures → enables system boot even with failures
• bcdedit /set safeboot network → restarts in safemode with network access

Autostart Technique

This Ransomware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe,%Application Data%\{malware filename}.exe → malware will run as explorer.exe after logon

Other System Modifications

This Ransomware modifies the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLUA = 0 → turns off User Account Control (UAC)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
ConsentPromptBehaviorAdmin = 0 → allows elevated operations without consent or credentials

It sets the system's desktop wallpaper to the following image:

• %Application Data%\wallpaper.jpg
  

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Culserver
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• QBCFMonitorService
• QBIDPService
• RTVscan
• SavRoam
• VMAuthdService
• VMUSBArbService
• VMnetDHCP
• VMwareHostd
• backup
• ccEvtMgr
• ccSetMgr
• dbeng8
• dbsrv12
• memtas
• mepocs
• msexchange
• msmdsrv
• sophos
• sql
• sqladhlp
• sqlagent
• sqlbrowser
• sqlservr
• sqlwriter
• svc$
• tomcat6
• veeam
• vmware-converter
• vmware-usbarbitator64
• vss

It terminates the following processes if found running in the affected system's memory:

• 360doctor
• 360se
• Culture
• Defwatch
• GDscan
• MsDtSrvr
• QBCFMonitorService
• QBDBMgr
• QBIDPService
• QBW32
• RAgui
• RTVscan
• agntsvc
• agntsvcencsvc
• agntsvcisqlplussvc
• anvir
• anvir64
• apache
• axlbridge
• backup
• ccleaner
• ccleaner64
• dbeng50
• dbsnmp
• encsvc
• excel
• far
• fdhost
• fdlauncher
• httpd
• infopath
• isqlplussvc
• java
• kingdee
• msaccess
• msftesql
• mspub
• mydesktopqos
• mydesktopservice
• mysqld-nt
• mysqld-opt
• mysqld
• ncsvc
• ocautoupds
• ocomm
• ocssd
• onedrive
• onenote
• oracle
• outlook
• powerpnt
• procexp
• qbupdate
• sqbcoreservice
• sql
• sqlagent
• sqlbrowser
• sqlmangr
• sqlserver
• sqlservr
• sqlwriter
• steam
• supervise
• synctime
• taskkill
• tasklist
• tbirdconfig
• thebat
• thunderbird
• tomcat
• tomcat6
• u8
• ufida
• visio
• wdswfsafe
• winword
• wordpad
• wuauclt
• wxServer
• wxServerView
• xfssvccon
• vmcompute
• vmwp
• vmms
• vds

Information Theft

This Ransomware gathers the following data:

• Hostname
• System Boot Information
• Username

Other Details

This Ransomware accepts the following parameters:

• -safe → reboots the system in safe mode before encryption

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• AppData
• boot
• EFI
• google
• Intel
• Mozilla
• MSOCache
• perflogs
• Program Files
• ProgramData
• system volume information
• Tor Browser
• WINDOWS
• windows.old

It avoids encrypting files found in the following folders:

• %All Users Profile%
• %Program Files%
• %ProgramData%
• %Public%
• %Temp%
• %User Profile%\AppData
• %Windows%

(Note: %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.. %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It appends the following extension to the file name of the encrypted files:

• {Original filename}.{Original extension}.EACBHCJFI

It drops the following file(s) as ransom note:

• %Desktop%\HOW_TO_RECOVER_FILES.txt
• {All encrypted directories}\HOW_TO_RECOVER_FILES.txt
  

It avoids encrypting files with the following file extensions:

• bat
• bin
• cmd
• com
• cpl
• dat
• dll
• drv
• exe
• hta
• ini
• lnk
• lock
• log
• mod
• msc
• msi
• msp
• pif
• prf
• rdp
• scr
• shs
• swp
• sys
• theme