Ransom.Win32.GRIEF.YPBLU

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following folders:

• %Application Data%\{Random characters}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %Application Data%\{Random characters}\{Random characters}.dll

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• vssadmin.exe Delete Shadows /All /Quiet
• bcdedit.exe /set {default} safeboot minimal
• bcdedit.exe /set {default} recoveryenabled No
• %System%\icacls.exe ":\*" /grant:r Everyone:F /t /c /q -> grant access to the drives it encrypts
• %System%\takeown.exe /F {Original service's executable path}

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random characters} = %System%\rundll32.exe %Application Data%\{Random characters}\{Random characters}.dll MzIqsx38gCwocWdP

Process Termination

This Ransomware terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• sqlagent
• sophos

Other Details

This Ransomware does the following:

• It expects itself to be executed as a service
• It installs itself as a service through modifying a service's ImagePath to point to itself and execute it along with its correct argument
• In these particular samples, there is currently no way to terminate processes. The embedded Process Hacker is not included in the ransomware samples, and it does not enumerate running processes
• It removes connections to network shared resources
• It requires the specific argument in order for it to proceed to its malicious routine:
  • MzIqsx38gCwocWdP
• It copies the executable loading it to the original executable's filepath found in the service's ImagePath

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• svsho*.exe
• schre*.bat
• V01.lo*
• V01.ch*
• V01res*.jrs
• RacWmi*.sdf
• Web*V01.dat
• default.rdp
• NTUSER.DA*
• *.lnk
• *.ico
• *.ini
• *.msi
• *.chm
• *.sys
• *.hlf
• *.lng
• *.inf
• *.ttf
• *.cmd
• *.LNK
• *.ICO
• *.INI
• *.MSI
• *.CHM
• *.SYS
• *.HLF
• *.LNG
• *.INF
• *.TTF
• *.CMD

It avoids encrypting files found in the following folders:

• $RECYCLE.BIN
• $Recycle.Bin
• Caches
• WebCache
• VirtualStore

It appends the following extension to the file name of the encrypted files:

• .pay0rgrief

It drops the following file(s) as ransom note:

• {encrypted file name}.iwant2survive.html - drops it for every file it encrypts