Ransom.Win64.MOUNTLOCKER.E

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{random characters}.bat -> contains commands to delete original malware executable
• {Malware File Path}\{Malware File Name}.log -> log file

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd /c ""%User Temp%\{Random characters}.bat" {Malware file path and name}" -> to delete itself after execution

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Classes\
{Generated ID}\shell\Open\
command
(Default) = explorer.exe RecoveryManual.html -> causes the opening of ransom note when an encrypted file is opened

Process Termination

This Ransomware terminates the following services if found on the affected system:

• Services with the following strings in its service name:
  • SQL
  • database
  • msexchange

It terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• dumpcap.exe
• encsvc.exe
• excel.exe
• firefoxconfig.exe
• infopath.exe
• ipython.exe
• isqlplussvc.exe
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• procexp.exe
• procexp64.exe
• procmon.exe
• procmon64.exe
• python.exe
• QBW32.exe
• QBW64.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlservr.exe
• sqlwriter.exe
• steam.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• wpython.exe
• xfssvccon.exe

Information Theft

This Ransomware gathers the following data:

• Core Count
• Total Memory
• Windows Version
• Windows Architecture
• User Name
• Computer Name
• Join status information

Other Details

This Ransomware does the following:

• It accepts the following parameters:
  • /LOGIN - stolen login credentials
  • /PASSWORD -stolen login credentials
  • /CONSOLE - display console
    
  • /NODEL - skip self deletion
  • /NOKILL - will not terminate services and processes
  • /NOLOG - no log file
  • /SHAREALL - encrypt network shares
  • /NETWORK{w|s} - execute malware in network shares
  • /PARAMS
  • /TARGET - indicate target path
  • /FAST - fast encryption mode
  • /MIN
  • /MAX
  • /FULLPD
  • /MARKER - create file serving as the infection marker
  • /NOLOCK - indicate file to avoid
• It checks if SQL is installed in the following folders:
  • Program Files
  • Program Files (x86)
  • ProgramData
• It propagates in the network via LDAP domain query in Active Directories and drops copies of itself as:
  • \C$\ProgramData\{Malware File Name}.exe
• Once propagation is successful, it will install the following service for malware execution:
  • Update{random}

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• bootmgr
• RecoveryManual.html

It avoids encrypting files found in the following folders:

• :\Windows\
• :\SystemVolumeInformation\
• :\$RECYCLE.BIN\
• :\SYSTEM.SAV
• :\WINNT
• :\$WINDOWS.~BT\
• :\Windows.old\
• :\PerfLog\
• :\Boot
• :\ProgramData\Microsoft\
• :\ProgramData\Packages\
• $\Windows\
• $\SystemVolumeInformation\
• $\$RECYCLE.BIN\
• $\SYSTEM.SAV
• $\WINNT
• $\$WINDOWS.~BT\
• $\Windows.old\
• $\PerfLog\
• $\Boot
• $\ProgramData\Microsoft\
• $\ProgramData\Packages\
• \WindowsApps\
• \Microsoft\Windows\
• \Local\Packages\
• \WindowsDefender
• \microsoftshared\
• \Google\Chrome\
• \MozillaFirefox\
• \Mozilla\Firefox\
• \InternetExplorer\
• \MicrosoftEdge\
• \TorBrowser\
• \AppData\Local\Temp\

It appends the following extension to the file name of the encrypted files:

• .ReadManual.{Generated ID}

It drops the following file(s) as ransom note:

• {Encrypted Directory}\RecoveryManual.html
  

It avoids encrypting files with the following file extensions:

• bat
• cat
• cmd
• dll
• exe
• fon
• inf
• lnk
• msi
• mui
• ps1
• sys
• ttf
• vbs
• ReadManual.{Generated ID}