Ransom.Linux.TELLUDPASS.THLBOBA

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• home\{user}\encfile.txt → list of encrypted files
• home\{user}\public.txt
• home\{user}\showkey.txt

It adds the following processes:

• /bin/bash -c service mysql stop
• /bin/bash -c service oracle stop
• /bin/bash -c systemctl disable postgresql*
• /bin/bash -c systemctl disable mysql*
• /bin/bash -c systemctl disable oracle*

Other Details

This Ransomware connects to the following website to send and receive information:

• http://{BLOCKED}.{BLOCKED}.216.148

It does the following:

• It scans the following local IP addresses for SSH connection:
  • {BLOCKED}.{BLOCKED}.0.0/24
  • {BLOCKED}.{BLOCKED}.0.1/12
  • {BLOCKED}.{BLOCKED}.0.0/8
• It searches for keys in the following folders to use for SSH connection:
  • /home/{username}/.ssh → if ran without admin rights
  • /root/.ssh → if ran with admin rights

It accepts the following parameters:

• -cf {string} → config yaml file
• -df {string} → decrypt file
• -dir {string} → encrypt or decrypt dir
• -goon → go on encrypt
• -d → decrypt file

Ransomware Routine

This Ransomware avoids encrypting files found in the following folders:

• ^/bin
• ^/boot
• ^/sbin
• ^/tmp
• ^/etc
• ^/lib
• ^/proc
• ^/dev
• ^/sys
• ^/usr/include
• ^/usr/java

It appends the following extension to the file name of the encrypted files:

• .locked

It drops the following file(s) as ransom note:

• {Encrypted Directory}\README.html