Ransom.Win32.FOG.C

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware File Path}/DbgLog.sys → logs the behavior of the sample upon execution

It adds the following processes:

• vssadmin.exe delete shadows /all /quiet

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 6zErjcpDAekftPiSbEUGHU4dtFwY5adQ

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Dhcp
• Dnscache
• *sql*

It terminates the following processes if found running in the affected system's memory:

• notepad.exe
• calc.exe
• *sql*

Other Details

This Ransomware does the following:

• It empties the recycle bin of the affected machine.
• It requires to be executed with the key(ID) in order to proceed with its malicious routine:
  • 8mlafY

It accepts the following parameters:

• -ID {key}
• -TARGET {path to encrypt}
• -NOMUTEX
• -CONSOLE
• -PROCOFF
• -UNCOFF

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• tmp
• winnt
• Application Data
• AppData
• temp
• thumb
• $Recycle.Bin
• System Volume Information
• Windows
• Boot

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.flocked

It drops the following file(s) as ransom note:

• {encrypted directory}\readme.txt
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .lnk
• .sys
• .CONTI