Ransom.Win32.MEDUSALOCKER.THJAFBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• By using the command line "\?\%Windows%\SysWOW64\cmd.exe /c %Windows%\sysnative\cmd.exe /c {Commands Below}:
  
  • rem Kill \"SQL\"
  • vssadmin.exe Delete Shadows /All /Quiet
  • wbadmin delete backup -keepVersion:0 -quiet
  • wbadminDELETE SYSTEMSTATEBACKUP
  • wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  • wmic.exe SHADOWCOPY /nointeractive
  • bcdedit.exe /set {default} recoverynabled No
  • bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  • net stop {Target Services}
  • taskkill -f -im {Target Processes}
• cipher /w:\?\{Drive Letter}
• %System%\cmd.exe /c pause

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
BabyLockerKZ = {Malware Path}\{Malware File Name}.exe

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\PAIDMEMES
PUBLIC = {Ransomware Public Key}

HKEY_CURRENT_USER\Software\PAIDMEMES
PRIVATE = {Ransomware Private Key}

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Via net stop:
  
  • MSSQLServerADHelper100
  • MSSQL$ISARS
  • MSSQL$MSFW
  • SQLAgent$ISARS
  • SQLAgent$MSFW
  • SQLBrowser
  • REportServer$ISARS
  • SQLWriter

It terminates the following processes if found running in the affected system's memory:

• Via taskkill -f -im:
  
  • sqlbrowser.exe
  • sql writer.exe
  • sqlserv.exe
  • msmdsrv.exe
  • MsDtsSrvr.exe
  • sqlceip.exe
  • fdlauncher.exe
  • Ssms.exe
  • SQLAGENT.EXE
  • fdhost.exe
  • ReportingServicesService.exe
  • msftesql.exe
  • pg_ctl.exe
  • postgres.exe

Other Details

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software
PAIDMEMES

It does the following:

• It encrypts the following drives if found existing on the system:
  
  • Removable Drive
  • Fixed Drive
  • Remote Drive
  • RAM Disk Drive
• It attempts to mount unmounted drives before doing encryption.
• It encrypts data in chunks of 750,016 bytes.
• It skips encryption of 250,048 bytes of data after every chunks.
• It encrypts a maximum of 9,633,920 bytes of data for each files.
• It empties the Recycle Bin.
• It displays logs using the command line application:
  

It accepts the following parameters:

• -network
• -shares={CIDR Notation}
  
  • Attempts to connect to all the hosts in the network and encrypts all existing drives' files found in each of the hosts.
• -path={Path to Encrypt}
  
  • Encrypts files found in the given path.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• How_to_back_files.html

It avoids encrypting files with the following strings in their file path:

• \$Recycle.Bin\
• \Recovery\
• \System Volume Information\
• \Windows\
• \WinREAgent\
• \$Windows.~WS\
• \$WINDOWS.~BT\
• /bin/
• /config/
• /etc/
• /etc.defaults/
• /initrd/
• /lib/
• /lost+found/
• /proc/
• /root/
• /run/
• /sbin/
• /sys/
• /var/
• /dev/
• /usr/

It avoids encrypting files found in the following folders:

• C:\perflogs
• C:\Intel
• C:\HP
• C:\AMD
• C:\Dell
• C:\Drivers
• C:\inetpub
• B:\Boot
• A:\Boot
• B:\EFI
• A:\EFI
• \?\%Application Data%
• \?\%AppDataLocal%
• \?\%All Users Profile%

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). )

It appends the following extension to the file name of the encrypted files:

• .crypto1317

It drops the following file(s) as ransom note:

• {Drive Letter}\How_to_back_files.html
• {All Directories}\How_to_back_files.html
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .sys
• .ini
• .rdp
• .lnk
• .bmp
• .mov
• .cab
• .crypto1317