Ransom.Win32.ANTEFRIGUS.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It steals certain information from the system and/or the user.

It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops and executes the following files:

• C:\Users\Public\Documents\wonsys.exe -> detected as Ransom.Win32.ANTEFRIGUS.A

It adds the following processes:

• cmd /c taskkill /F /IM isqlplussvc.exe
• cmd /c taskkill /F /IM xfssvccon.exe
• cmd /c taskkill /F /IM mydesktopservice.exe
• cmd /c taskkill /F /IM ocautoupds.exe
• cmd /c taskkill /F /IM encsvc.exe
• cmd /c taskkill /F /IM tbirdconfig.exe
• cmd /c taskkill /F /IM mydesktopqos.exe
• cmd /c taskkill /F /IM ocomm.exe
• cmd /c taskkill /F /IM dbeng50.exe
• cmd /c taskkill /F /IM sqbcoreservice.exe
• cmd /c taskkill /F /IM excel.exe
• cmd /c taskkill /F /IM infopath.exe
• cmd /c taskkill /F /IM msaccess.exe
• cmd /c taskkill /F /IM mspub.exe
• cmd /c taskkill /F /IM onenote.exe
• cmd /c taskkill /F /IM outlook.exe
• cmd /c taskkill /F /IM powerpnt.exe
• cmd /c taskkill /F /IM steam.exe
• cmd /c taskkill /F /IM thebat.exe
• cmd /c taskkill /F /IM thunderbird.exe
• cmd /c taskkill /F /IM visio.exe
• cmd /c taskkill /F /IM winword.exe
• cmd /c taskkill /F /IM wordpad.exe
• cmd /c taskkill /F /IM notepad.exe
• cmd /c taskkill /F /IM aupis80.exe
• cmd /c taskkill /F /IM avgnt.exe
• cmd /c taskkill /F /IM sql.exe
• cmd /c taskkill /F /IM oracle.exe
• cmd /c taskkill /F /IM ocssd.exe
• cmd /c taskkill /F /IM dbsnmp.exe
• cmd /c taskkill /F /IM synctime.exe
• cmd /c taskkill /F /IM agntsvc.exe
• cmd /c wmic.exe shadowcopy delete
• cmd /c start news.html
• cmd /c {Root Drive}:/CLICK_HERE-{extension}.txt
• cmd /c taskkill /F /IM isqlplussvc.exe
• cmd /c taskkill /F /IM xfssvccon.exe
• cmd /c taskkill /F /IM mydesktopservice.exe
• cmd /c taskkill /F /IM ocautoupds.exe
• cmd /c taskkill /F /IM encsvc.exe
• cmd /c taskkill /F /IM tbirdconfig.exe
• cmd /c taskkill /F /IM mydesktopqos.exe
• cmd /c taskkill /F /IM ocomm.exe
• cmd /c taskkill /F /IM dbeng50.exe
• cmd /c taskkill /F /IM sqbcoreservice.exe
• cmd /c taskkill /F /IM excel.exe
• cmd /c taskkill /F /IM infopath.exe
• cmd /c taskkill /F /IM msaccess.exe
• cmd /c taskkill /F /IM mspub.exe
• cmd /c taskkill /F /IM onenote.exe
• cmd /c taskkill /F /IM outlook.exe
• cmd /c taskkill /F /IM powerpnt.exe
• cmd /c taskkill /F /IM steam.exe
• cmd /c taskkill /F /IM thebat.exe
• cmd /c taskkill /F /IM thunderbird.exe
• cmd /c taskkill /F /IM visio.exe
• cmd /c taskkill /F /IM winword.exe
• cmd /c taskkill /F /IM wordpad.exe
• cmd /c taskkill /F /IM notepad.exe
• cmd /c taskkill /F /IM aupis80.exe
• cmd /c taskkill /F /IM avgnt.exe
• cmd /c taskkill /F /IM sql.exe
• cmd /c taskkill /F /IM oracle.exe
• cmd /c taskkill /F /IM ocssd.exe
• cmd /c taskkill /F /IM dbsnmp.exe
• cmd /c taskkill /F /IM synctime.exe
• cmd /c taskkill /F /IM agntsvc.exe
• cmd /c wmic.exe shadowcopy delete
• cmd /c start news.html
• cmd /c {Root Drive}:/CLICK_HERE-{extension}.txt

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
DefenIfWIn = C:\Users\Public\Documents\wonsys.exe"

Other System Modifications

This Ransomware uses Windows Management Instrumentation (WMI) to delete volume shadow copies:

• cmd /c wmic.exe shadowcopy delete

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• notepad.exe
• aupis80.exe
• avgnt.exe
• sql.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe

Download Routine

This Ransomware accesses the following websites to download files:

• https://{BLOCKED}er.org/1Jgt37

Information Theft

This Ransomware steals the following information:

• Fixed Drives' Total Space and Remaining Space
• Username

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• windows
• Windows
• C:/intel
• C:/nvidia
• C:/ProgramData
• Google
• boot
• C:/Program Files
• C:/Program Files (x86)
• System Volume Information
• Mozilla
• Tor Browser
• Notepad
• Explorer
• Temp
• temp
• $
• AndroidSDK

It leaves text files that serve as ransom notes containing the following text:

It avoids encrypting files with the following file extensions:

• .md5
• .sha1
• .bin
• .dll
• .obj
• .adv
• .ani
• .big
• .bat
• .cab
• .cmd
• .com
• .cpl
• .cur
• .deskthemepack
• .diagcab
• .diagcfg
• .diagpkg
• .drv
• .hlp
• .icl
• .icns
• .ics
• “idx
• .ldf
• .mod
• .mpa
• .msc
• .msp
• .msstyles
• .msu
• .nls
• .nomedia
• .ocx
• .prf
• .ps1
• .rom
• .rtp
• .scr
• .shs
• .spl
• .sys
• .theme
• .themepack
• .wpx
• .lock
• .key
• .hta
• .msi
• .pck