Ransom.Win32.LOCKBIT.YXEB1Z

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %ProgramData%\BfUuixIUp.ico → icon used for all encrypted files.
• %ProgramData%\BfUuixIUp.bmp → image to set as system wallpaper after encryption.

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following processes:

• bcdedit /set {current} safeboot network → if -safe commandline parameter is used.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{Generated Hash}

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
{Random Characters} = {Malware Path}\{Malware File Name} → if -safe commandline parameter is used

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.BfUuixIUp
(Default) = BfUuixIUp

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BfUuixIUp\DefaultIcon
(Default) = %ProgramData%\BfUuixIUp.ico

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BfUuixIUp
hscreen = {screen height} → if -safe commandline parameter is used

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BfUuixIUp
wScreen = {screen width} → if -safe commandline parameter is used

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
AutoAdminLogon = 1 → if -safe commandline parameter is used

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
DefaultUserName = Administrator → if -safe commandline parameter is used

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
DefaultDomainName = {Computer Domain Name} → if -safe commandline parameter is used

It changes the desktop wallpaper by modifying the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
WallPaper = %ProgramData%\BfUuixIUp.bmp

HKEY_CURRENT_USER\Control Panel\Desktop
WallpaperStyle = 10

It sets the system's desktop wallpaper to the following image:

• %ProgramData%\BfUuixIUp.bmp
  

Process Termination

This Ransomware terminates the following services if found on the affected system:

• vss
• sql
• svc$
• memtas
• mepocs
• msexchange
• sophos
• veeam
• backup
• GxVss
• GxBlr
• GxFWD
• GxCVD
• GxCIMgr

It terminates the following processes if found running in the affected system's memory:

• sql
• oracle
• ocssd
• dbsnmp
• synctime
• agntsvc
• synctime
• isqlplussvc
• xfssvccon
• mydesktopservice
• ocautonupds
• encsvc
• firefox
• tbirdconfig
• mydesktopqos
• ocomm
• dbeng50
• sqbcoreservice
• excel
• infopath
• msaccess
• mspub
• onenote
• outlook
• powerpnt
• steam
• thebat
• thunderbird
• visio winword
• wordpad
• notepad

Information Theft

This Ransomware gathers the following data:

• Hostname
• Username
• OS version
• Domain
• Architecture
• Language

Other Details

This Ransomware adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.BfUuixIUp

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BfUuixIU

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
BfUuixIUp\DefaultIcon

It does the following:

• If not executed with admin rights, it will attempt to relaunch itself as admin by elevating its privileges via bypassing UAC
• It encrypts fixed, removable and network shares
• It deletes files in recycle bin folder for removable and fixed drives
• It uses WQL to delete shadow copies
• It renames itself 26 times before deleting itself after encryption
• It has the capability to print the ransom note in infected machines
• It terminates if the machine has the following system language:
  • Arabic (Syria)
  • Armenian (Armenia)
  • Azerbaijani (Cyrillic Azerbaijan)
  • Azerbaijani (Latin Azerbaijan)
  • Belarusian (Belarus)
  • Georgian (Georgia)
  • Kazakh (Kazakhstan)
  • Kyrgyz (Kyrgyzstan)
  • Russian (Moldova)
  • Russian (Russia)
  • Tajik (Cyrillic Tajikistan)
  • Tatar (Russia) Romanian (Moldova)
  • Turkmen (Turkmenistan)
  • Ukranian (Ukraine)
  • Uzbek (Cyrillic Uzbekistan)
  • Uzbek (Latin Uzbekistan)
• It deletes the following services:
  • WdBoot
  • WdFilter
  • WdNisDrv
  • WdNisSvc
  • WinDefend
  • wscsvc
  • sppsvc
  • Sense
  • SecurityHealthService
• It changes the encrypted file icon to the following image:
  
• It duplicates the token of the following:
  • explorer.exe - to gain privileged domain access
  • lsass.exe
  • TrustedInstaller - service is started if not yet running
• It contains a list of username:password that it will use to log into domain controllers.

It accepts the following parameters:

• -safe →Reboots in safeboot, then encrypts the user's machine
• -wall → Changes system Wallpaper and Print ransom note on printers then deletes itself after renaming for 26 times.
• -path {target} → Specifically encrypt the target, can be file or folder
• -gspd → Perform Group Policy Modification for Lateral Movement
• -psex → Lateral Movement via Admin Shares
• -gdel → Delete group policy updates
• -del → Deletes itself after renaming for 26 times.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• d3d9caps.dat
• desktop.ini
• GDIPFONTCACHEV1.DAT
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• $recycle.bin
• $windows.~bt
• $windows.~ws
• all users
• boot
• config.msi
• default
• intel
• microsoft
• msocache
• perflogs
• program files
• program files (x86)
• programdata
• public
• system volume information
• tor browser
• windows
• windows.old
• x64dbg

It appends the following extension to the file name of the encrypted files:

• .BfUuixIUp

It drops the following file(s) as ransom note:

• {Encrypted Directory}\BfUuixlUp.README.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hta
• icl
• icns
• ico
• ics
• idx
• key
• ldf
• lnk
• lock
• mod
• mpa
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• pdb
• prf
• ps1
• rom
• rtp
• scr
• search-ms
• shs
• spl
• sys
• theme
• themepack
• wpx