Ransom.Win32.AVOSLOCKER.SMYXBLNT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %User Temp%\{Random Digits}.png - Wallpaper

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd /c wmic shadowcopy delete /nointeractive
• cmd /c vssadmin.exe Delete Shadows /All /Quiet
• cmd /c bcdedit /set {default} recoveryenabled No
• cmd /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
• cmd /c powershell -command "Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }"
• powershell -Command "$a = [System.IO.File]::ReadAllText(\"D:\GET_YOUR_FILES_BACK.txt\");Add-Type -AssemblyName System.Drawing;$filename = \"$env:temp\$(Get-Random).png\";$bmp = new-object System.Drawing.Bitmap 1920,1080;$font = new-object System.Drawing.Font Consolas,10;$brushBg = [System.Drawing.Brushes]::Black;$brushFg = [System.Drawing.Brushes]::White;$format = [System.Drawing.StringFormat]::GenericDefault;$format.Alignment = [System.Drawing.StringAlignment]::Center;$format.LineAlignment = [System.Drawing.StringAlignment]::Center;$graphics = [System.Drawing.Graphics]::FromImage($bmp);$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height);$graphics.DrawString($a,$font,$brushFg,[System.Drawing.RectangleF]::FromLTRB(0, 0, 1920, 1080),$format);$graphics.Dispose();$bmp.Save($filename);reg add \"HKEY_CURRENT_USER\Control Panel\Desktop\" /v Wallpaper /t REG_SZ /d $filename /f;Start-Sleep 1;rundll32.exe user32.dll, UpdatePerUserSystemParameters, 0, $false;"
• %System%\reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\DYITUS~1\AppData\Local\Temp\1544981028.png /f
• %System%\rundll32.exe user32.dll UpdatePerUserSystemParameters 0 False

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Zheic0WaWie6zeiy -> Only if "--nomutex" is not used

Other System Modifications

This Ransomware changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
Wallpaper = %User Temp%\{Random Digits}.png

It sets the system's desktop wallpaper to the following image:

• %User Temp%\{Random Digits}.png
  

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• encsvc
• thebat
• mydesktopqos
• xfssvccon
• firefox
• infopath
• winword
• steam
• synctime
• notepad
• ocomm
• onenote
• mspub
• thunderbird
• agntsvc
• sql
• excel
• powerpnt
• outlook
• wordpad
• dbeng50
• isqlplussvc
• sqbcoreservice
• oracle
• ocautoupds
• dbsnmp
• msaccess
• tbirdconfig
• ocssd
• mydesktopservice
• visio

Other Details

This Ransomware does the following:

• This Ransomware displays its encryption progress in console.
  
• It encrypts files found in the following drives:
  • Fixed Drives
  • Removable Drives
  • Network Share Drives
• It checks if the file it tries to encrypt is being ran by another process
  • If the file is currently being used by another process, the ransomware kills the process and proceeds with encryption

It accepts the following parameters:

• -p, --path [Path to Encrypt] →
• -b, --brutesmb → Bruteforce SMB for logical drives
• --nomutex → Disable mutex / ignore other instances
• -l, --disabledrives → Disable logical drives enumeration
• -n, --enablesmb → Enable SMB enumeration
• -t, --threads [No of Threads] → Max threads for encryption (default:200)
• -h, --help → Print usage

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• config.msi
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• Thumbs.db

It avoids encrypting files with the following strings in their file path:

• All Users
• AppData
• boot
• bootmgr
• Games
• Intel
• Microsoft. [Directory name starts with Microsoft.]
• Program Files
• ProgramData
• Public
• Sophos
• System Volume Information
• Windows
• Windows.old
• WinNT

It appends the following extension to the file name of the encrypted files:

• .avos2

It drops the following file(s) as ransom note:

• %Desktop%\GET_YOUR_FILES_BACK.txt
• {Encrypted Directory}\GET_YOUR_FILES_BACK.txt
  

It avoids encrypting files with the following file extensions:

• avos
• avoslinux
• avos2
• avos2j
• themepack
• nls
• diagpkg
• msi
• lnk
• exe
• cab
• scr
• bat
• drv
• rtp
• msp
• prf
• msc
• ico
• key
• ocx
• diagcab
• diagcfg
• pdb
• wpx
• hlp
• icns
• rom
• dll
• msstyles
• mod
• ps1
• ics
• hta
• bin
• cmd
• ani
• 386
• lock
• cur
• idx
• sys
• com
• deskthemepack
• shs
• ldf
• theme
• mpa
• nomedia
• spl
• cpl
• adv
• icl
• msu