Ransom.MSIL.KARSOVROP.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• "cmd.exe" /c net stop wscsvc
• "%System%\vssadmin.exe" delete shadows /all /quite
• "cmd.exe" /c {Malware File Path}\DeleteItself.bat

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefoxconfig
• infopath
• isqlplussvc
• msaccess
• msftesql
• mspub
• mydesktopqos
• mydesktopservice
• mysqld
• mysqld-nt
• mysqld-opt
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sqlagent
• sqlbrowser
• sqlservr
• sqlwriter
• steam
• synctime
• tbirdconfig
• thebat
• thebat64
• thunderbird
• visio
• winword
• wordpad
• xfssvccon
• Any process whose image path does not start in %System Root%
• Any process whose image path does not contain "microsoft" or "windows" (case-insensitive)

(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)

Dropping Routine

This Ransomware drops the following files:

• {Encrypted Path}\{Encrypted File Name}.{Encrypted File Extension}.karsovrop_TMP → deleted after the file is encrypted
• {Malware File Path}\DeleteItself.bat → used to delete the malware (deleted afterwards)

Other Details

This Ransomware does the following:

• It will only execute if the system date is after the 15th of every month from the year 2024 onwards.
• It avoids encrypting files that contains the following strings at the end of their filenames:
  • FILE RECOVERY.txt
• It shows the following dialog box which accepts the path/directory to prioritize in encrypting:
  

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• Bootfont.bin
• bootsect.bak
• concache.db
• DECRYPT-FILES.html
• desktop.ini
• io.sys
• ntdetect.com
• ntldr
• ntuser.dat
• ntuser.dat.log
• readme-warning.txt
• thumbs.db

It avoids encrypting files found in the following folders:

• $windows.~bt
• $windows.~ws
• appdata
• application data
• Assemblies
• boot
• Common Files
• Core Runtime
• google
• intel
• Internet Explorer
• Microsoft Analysis Services
• Microsoft ASP.NET
• Microsoft Help Viewer
• Microsoft MPI
• Microsoft Security Client
• Microsoft Security Client
• Microsoft.NET
• mozilla
• msocache
• Package
• Package Store
• perflogs
• programdata
• Reference
• Store
• system volume information
• tor browser
• Windows
• Windows Defender
• Windows Kits
• Windows Mail
• Windows Microsoft.NET
• Windows NT
• Windows Photo Viewer
• Windows Portable Devices
• Windows Sidebar
• windows.old
• WindowsPowerShell

It appends the following extension to the file name of the encrypted files:

• .karsovrop

It drops the following file(s) as ransom note:

• {Discovered Path}\FILE RECOVERY.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .ani
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagpkg
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .icns
• .ico
• .ics
• .idx
• .jar
• .karsovrop
• .karsovrop_TMP
• .lnk
• .mod
• .mpa
• .msc
• .msi
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocs
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .sys
• .theme
• .themepack
• .wpx