Ransom.MSIL.CHAOS.I

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{9 Random Characters}.jpg → plain white image used to set the Desktop's wallpaper.

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops and executes the following files:

• %Application Data%\svchost.exe → drops and executes only if {Malware Path}\{Malware Filename} is not equal to it.

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete → deletes all volume shadow copies in the system.
• "%System%\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no → disables Windows RE error recovery, and automatic restart.
• "%System%\cmd.exe" /C wbadmin delete catalog -quiet → deletes the backup catalog on the system.
• "%System%\NOTEPAD.EXE" %Application Data%\read_it.txt → opens the dropped ransom note.

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Ransomware drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• Filename: %User Startup%\svchost.url
  URL: file:///%Application Data%\svchost.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{9 Random Characters}.jpg

(Note: The default value data of the said registry entry is {Default Image Filename}.)

It sets the system's desktop wallpaper to the following image:

Propagation

This Ransomware drops the following copy of itself in all physical and removable drives:

• {Drive Letter}\surprise.exe → dropped in every active drive except C:.

Other Details

This Ransomware does the following:

• During encryption:
  • If the file's size is less than 2,117,152 bytes, it rewrites the file's data using the following format:
    • {Encrypted Key}{Encrypted Data}
  • Otherwise, it rewrites the file's data using the following format:
  • {Encrypted Key}{Encrypted Data}
• It utilizes Bitcoin address clipboard hijacking by checking the clipboard if it contains a Bech32 BTC address and replaces it with the following BTC address:
  • {BLOCKED}ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .1cd
• .3ds
• .3fr
• .3g2
• .3gp
• .7z
• .7zip
• .accda
• .accdb
• .accdc
• .accde
• .accdr
• .accdt
• .accdw
• .ace
• .adp
• .ai
• .ai3
• .ai4
• .ai5
• .ai6
• .ai7
• .ai8
• .amv
• .apk
• .arj
• .arw
• .ascx
• .asm
• .asmx
• .asp
• .aspx
• .avi
• .avs
• .backup
• .bak
• .bay
• .bin
• .bk
• .blob
• .bmp
• .bz2
• .cab
• .cer
• .cfm
• .config
• .contact
• .core
• .cpp
• .crt
• .cs
• .css
• .csv
• .cub
• .cvs
• .dae
• .dat
• .db
• .dbf
• .dbx
• .dc3
• .dcm
• .dcr
• .dib
• .dic
• .dif
• .divx
• .djvu
• .dmg
• .doc
• .docm
• .docx
• .dot
• .dotx
• .dwg
• .dwt
• .epsp
• .exif
• .exr
• .f4v
• .flv
• .geo
• .gif
• .gz
• .gzip
• .htm
• .html
• .ibank
• .ico
• .iff
• .inc
• .indd
• .ini
• .iso
• .jar
• .java
• .jpe
• .jpeg
• .jpg
• .js
• .json
• .jsp
• .key
• .kmz
• .kwm
• .lnk
• .log
• .lzh
• .m1v
• .m4a
• .m4p
• .m4v
• .max
• .mda
• .mdb
• .mde
• .mdf
• .mdw
• .mht
• .mhtml
• .mka
• .mkv
• .mov
• .mp3
• .mp4
• .mpeg
• .mpg
• .mpv
• .msg
• .myi
• .nef
• .obj
• .odc
• .odm
• .odp
• .ods
• .odt
• .oft
• .onepkg
• .onepkg
• .onetoc2
• .opt
• .oqy
• .orf
• .p12
• .p7b
• .p7c
• .pam
• .pas
• .pdb
• .pdf
• .pfx
• .php
• .pict
• .pl
• .pls
• .png
• .pot
• .potm
• .potx
• .ppam
• .pps
• .ppsm
• .ppt
• .pptm
• .pptx
• .ps
• .psb
• .psd
• .pst
• .py
• .r3d
• .rar
• .raw
• .rb
• .rgbe
• .rss
• .rtf
• .safe
• .settings
• .sie
• .slk
• .sln
• .sql
• .stm
• .sum
• .svg
• .svgz
• .swf
• .swift
• .tab
• .tar
• .tar.gz
• .tbi
• .tif
• .torrent
• .txt
• .vb
• .vbs
• .vdi
• .vmdk
• .vob
• .vss
• .wallet
• .wav
• .webm
• .wma
• .wmv
• .wpd
• .wps
• .xla
• .xlam
• .xlk
• .xlm
• .xls
• .xlsb
• .xlsm
• .xlsx
• .xlt
• .xltm
• .xltx
• .xlw
• .xml
• .xps
• .xsd
• .xsf
• .xsl
• .xz
• .zip

It encrypts files found in the following folders:

• {Active Drives}
• %Desktop%
• %Favorites%
• %Application Data%
• %Public%\Documents
• %Public%\Pictures
• %Public%\Music
• %Public%\Videos
• %Public%\Desktop
• %User Profile%\Links
• %User Profile%\Contacts
• %User Profile%\Documents
• %User Profile%\Downloads
• %User Profile%\Pictures
• %User Profile%\Music
• %User Profile%\OneDrive
• %User Profile%\Saved Games
• %User Profile%\Searches
• %User Profile%\Videos

(Note: %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Favorites% is the current user's Favorites folder, which is usually C:\Documents and Settings\{user name}\Favorites on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Favorites on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It avoids encrypting files with the following strings in their file name:

• read_it.txt

It avoids encrypting files found in the following folders:

• C:\

It appends the following extension to the file name of the encrypted files:

• .encrypt

It drops the following file(s) as ransom note:

• {Path to Encrypt}\read_it.txt
• %Application Data%\read_it.txt → opened afterwards