Ransom.Win64.THREEAM.THDAIBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• "netsh.exe" advfirewall firewall set rule "group="Network Discovery"" new enable=Yes
• "wbadmin.exe" delete systemstatebackup -keepVersions:0 -quiet
• "wbadmin.exe" DELETE SYSTEMSTATEBACKUP
• "wbadmin.exe" DELETE SYSTEMSTATEBACKUP -deleteOldest
• "bcdedit.exe" /set {default} recoveryenabled No"bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
• "wmic.exe" SHADOWCOPY DELETE /nointeractive
• "cmd.exe" /c wevtutil cl security
• "cmd.exe" /c wevtutil cl system
• "cmd.exe" /c wevtutil cl application
• "vssadmin.exe" delete shadows /all /quiet

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
3AMTheTimeOfMysticismIsntIt? = {Malware File Path}\{Malware File name}

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\LanmanServer\Parameters
MaxMpxCt = 0x0000fffff(65535)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• vmcomp
• vmwp
• veeam
• Back
• xchange
• backup
• Backup
• acronis
• AcronisAgent
• AcrSch2Svc
• sql
• Enterprise
• Veeam
• VeeamTransportSvc
• VeeamNFSSvc
• AcrSch
• bedbg
• DCAgent
• EPSecurity
• EPUpdate
• Eraser
• EsgShKernel
• FA_Scheduler
• IISAdmin
• IMAP4
• MBAM
• Endpoint
• Afee
• McShield
• task
• mfemms
• mfevtp
• mms
• MsDts
• Exchange
• ntrt
• PDVF
• POP3
• Report
• RESvc
• Monitor
• Smcinst
• SmcService
• SMTP
• SNAC
• swi_
• CCSF
• ccEvtMgr
• ccSetMgr
• TrueKey
• tmlisten
• UIODetect
• W3S
• WRSVC
• NetMsmq
• ekrn
• EhttpSrv
• ESHASRV
• AVP
• klnagent
• wbengine
• KAVF
• mfefire
• svc$
• memtas
• mepocs
• GxVss
• GxCVD
• GxBlr
• GxFWD
• GxCIMgr
• BackupExecVSSProvider
• BackupExecManagementService
• BackupExecJobEngine
• BackupExecDiveciMediaService
• BackupExecAgentBrowser
• BackupExecAgentAccelerator
• vss
• BacupExecRPCService
• CASAD2WebSvc
• CAARCUpdateSvc
• YooBackup
• YooIT

It terminates the following processes if found running in the affected system's memory:

• backup.exe
• Backup.exe
• calc.exe
• CNTAoSMgr.exe
• dbeng.exe
• dbeng50.exe
• dbsnmp.exe
• ekrn.exe
• encsvc.exe
• excel.exe
• firefox.exe
• firefoxconfig.exe
• infopath.exe
• isqlplussvc.exe
• mbamtray.exe
• msaccess.exe
• mspub.exe
• mydesktop.exe
• mydesktopqos.exe
• mydesktopservice.exe
• notepad.exe
• Ntrtscan.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• PccNTMon.exe
• powerpnt.exe
• raccine.exe
• Raccine.exe
• sqbcoreservice.exe
• sql.exe
• sqlbcoreservice.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• tmlisten.exe
• veeam.exe
• virtual.exe
• visio.exe
• vmcomp.exe
• vmwp.exe
• winword.exe
• word.exe
• wordpad.exe
• xchange.exe
• xfssvccon.exe
• zoolz.exe

Other Details

This Ransomware checks for the presence of the following process(es):

• vmsrvc.exe
• tcpview.exe
• wireshark.exe
• fiddler.exe
• vmware.exe
• VirtualBox.exe
• procexp.exe
• autoit.exe
• vboxtray.exe
• vmtoolsd.exe
• vmrawdsk.sys
• vmusbmouse.sys
• df5serv.exe
• vboxservice.exe
• OllyDbg.exe
• x64dbg
• x32dbg
• WinDbg
• ProcessHacker.exe

It does the following:

• It empties the Recycled Bin
• It checks if the following file exists:
  • view.lock
• It uses the Windows Restart Manager API to close processes or shut down Windows services that may be keeping a file open and preventing encryption.
• When encrypting network shares it will check if the IP address starts with the following to ensure that it is encrypting local, non-internet, systems:
  • 172.
  • 192.168.
  • 10.
  • 169.
• It looks for database storage files by looking for the following strings in their file path:
  • .4dd
  • .4dl
  • .accdb
  • .accdc
  • .accde
  • .accdr
  • .accdt
  • .accft
  • .adb
  • .ade
  • .adf
  • .adp
  • .arc
  • .ora
  • .alf
  • .ask
  • .btr
  • .bdf
  • .cat
  • .cdb
  • .ckp
  • .cma
  • .cpd
  • .dacpac
  • .dad
  • .dadiagrams
  • .daschema
  • .db
  • .db-shm
  • .db-wal
  • .db3
  • .dbc
  • .dbf
  • .dbs
  • .dbt
  • .dbv
  • .dbx
  • .dcb
  • .dct
  • .dcx
  • .ddl
  • .dlis
  • .dp1
  • .dqy
  • .dsk
  • .dsn
  • .dtsx
  • .dxl
  • .eco
  • .edb
  • .epim
  • .exb
  • .fcd
  • .fdb
  • .fic
  • .fmp
  • .fmp12
  • .fmpsl
  • .fol
  • .fp3
  • .fp4
  • .fp5
  • .fp7
  • .fpt
  • .frm
  • .gdb
  • .grdb
  • .gwi
  • .hdb
  • .his
  • .ib
  • .idb
  • .ihx
  • .itdb
  • .itw
  • .jet
  • .jtx
  • .kdb
  • .kexi
  • .kexic
  • .kexis
  • .lgc
  • .lwx
  • .maf
  • .maq
  • .mar
  • .mas
  • .mav
  • .mdb
  • .mdf
  • .mpd
  • .mrg
  • .mud
  • .mwb
  • .myd
  • .ndf
  • .nnt
  • .nrmlib
  • .ns2
  • .ns3
  • .ns4
  • .nsf
  • .nv
  • .nv2
  • .nwdb
  • .nyf
  • .odb
  • .oqy
  • .orx
  • .owc
  • .p96
  • .p97
  • .pan
  • .pdb
  • .pdm
  • .pnz
  • .qry
  • .qvd
  • .rbf
  • .rctd
  • .rod
  • .rodx
  • .rpd
  • .rsd
  • .sas7bdat
  • .sbf
  • .scx
  • .sdb
  • .sdc
  • .sdf
  • .sis
  • .sqlite
  • .sqlite3
  • .sqlitedb
  • .te
  • .temx
  • .tmd
  • .tps
  • .trc
  • .trm
  • .udb
  • .udl
  • .usr
  • .v12
  • .vis
  • .vpd
  • .vvv
  • .wdb
  • .wmdb
  • .wrk
  • .xdb
  • .xld
  • .xmlff
  • .abcddb
  • .abs
  • .abx
  • .accdw
  • .adn
  • .db2
  • .fm5
  • .hjt
  • .icg
  • .icr
  • .kdb
  • .lut
  • .maw
  • .mdn
  • .mdt
• It looks for disk image files by looking for the following file extensions in their file path:
  • .vdi
  • .vhd
  • .vmdk
  • .pvm
  • .vmem
  • .vmsn
  • .vmsd
  • .nvram
  • .vmx
  • .raw
  • .qcow2
  • .subvol
  • .bin
  • .vsv
  • .avhd
  • .vmrs
  • .vhdx
  • .avdx
  • .vmcx
  • .iso

It accepts the following parameters:

• -k → Access key
• -p →
• -h →
• -s → determines file offsets to manage encryption speed (expressed in decimal digits).
• -m → Specify mode of encryption
  • net → encrypt local drives
  • local → encrypt only shared drives

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• desktop.ini
• autorun.inf
• ntldr
• bootsect.bak
• thumbs.db
• boot.ini
• ntuser.dat
• iconcache.db
• ntuser.ini
• ntuser.dat.log
• recover-files.txt

It avoids encrypting files found in the following folders:

• vpn
• boot
• windows
• $windows.~bt
• winnt
• application data
• $windows.~ws
• $recycle.bin
• recycle.bin
• windows.old
• system volume information
• tor browser
• opera
• windows journal
• windows defender
• windows security
• windows photo viewer
• windowsapp
• windowspowershell
• usoshared
• intel
• perflogs
• msocache
• sysvol
• ntds
• sysvol
• netlogon
• windows nt
• msbuild
• common files
• temp
• thumb
• rsa
• ntdetect.com
• ntldr
• bootmgr
• programdata
• appdata
• program files
• microsoft
• sophos
• mozilla
• internet explorer
• microsoft.net
• microsoft shared
• public
• default
• config.msi
• google
• trend micro
• all users

It appends the following extension to the file name of the encrypted files:

• .threeamtime

It drops the following file(s) as ransom note:

• {Encrypted Directory}\RECOVER-FILES.txt