Ransom.Win32.HIVE.YXCC4Z

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Windows%\Logs\WindowsBackup\Wbadmin.0.etl
• {Drive Letter}:\{8 random characters}.key
• {Drive Letter}:\HOW_TO_DECRYPT.txt

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following processes:

• %System%\vssadmin.exe delete shadows /all /quiet
• %System%\Wbem\wmic.exe shadowcopy delete
• %System%\wbadmin.exe delete systemstatebackup
• %System%\wbadmin.exe delete catalog -quiet
• %System%\bcdedit.exe /set {default} recoveryenabled No
• %System%\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• %System%\wbadmin.exe delete systemstatebackup -keepVersions:3
• %System%\notepad.exe HOW_TO_DECRYPT.txt

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• WinDefend
• MsMpSvc
• kavsvc
• DrWebCom
• AntiVirService
• ZhuDongFangYu
• VMM
• Vmwp
• sql
• sap
• oracle
• mepocs
• memtas
• veeam
• backup
• sql
• vss
• msexchange
• mysql
• sophos
• Exchange
• PDVFSService
• BackupExec
• GxBlr
• GxVss
• GxClMgrS
• GxVCD
• GxCIMgr
• GXMMM
• GxVssHWProv
• GxFWD
• SAP
• QBCFMonitorService
• AcronisAgent
• Veeam
• MVArmor
• VSNAPVSS
• AcrSch2Svc

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• CagService
• QBIDPService
• QBDBMgrN
• QBCFMonitorService
• SAP
• TeamViewer_Service
• TeamViewer
• tv_w32
• tv_x64
• CVMountd
• cvd
• cvfwd
• CVODS
• saphostexec
• saposcol
• sapstartsrv
• avagent
• avscc
• DellSystemDetect
• EnterpriseClient
• Veeam

Other Details

This Ransomware does the following:

• It encrypts files with file size above 4000 bytes.
• It appends the file extension {8 random characters}-{11 random characters} to files with the following file extensions:
  • sql
  • txt
  • rtf
  • xml
  • pdf
  • xls
  • xlsx
  • doc
  • docx

It accepts the following parameters:

• -u {login}:{password}

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• bootmgr
• autorun.inf
• thumbs.db
• ntuser.dat

It avoids encrypting files found in the following folders:

• Windows
• Program Files
• Program Files (x86)
• Boot
• PerfLogs
• $Recycle.Bin
• System Volume Information
• Trend Micro

It appends the following extension to the file name of the encrypted files:

• {8 random characters}_{11 random characters}
• {8 random characters}-{11 random characters}

It drops the following file(s) as ransom note:

• {Encrypted Folder}\HOW_TO_DECRYPT.txt
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• sys
• msi
• lnk
• ini
• url