Ransom.Win32.MONEYMESS.THCCOBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Drive Letter:}:\money_message.log

It adds the following processes:

• "%System%\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It leaves text files that serve as ransom notes containing the following:

• {Drive Letter:}:\money_message.log
  

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• 12345-12345-12235-12354

Process Termination

This Ransomware terminates the following services if found on the affected system:

• vss
• sql
• svc$
• memtas
• mepocs
• sophos
• veeam
• backup
• vmms

It terminates the following processes if found running in the affected system's memory:

• sql.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• firefox.exe
• tbirdconfig.exe
• mdesktopqos.exe
• ocomm.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• vmwp.exe

Other Details

This Ransomware does the following:

• The following may change depending on the malware configuration:
  • info_text_message → serves as ransom note
  • mutex_name
  • extension
  • skip_directories
  • network_public_key
  • network_private_key
  • processes_to_kill
  • logging → network logging in capability
  • domain_login
  • domain_password
  • crypt_only_these_directories
• It encrypts files found in the following drive types:
  • Fixed drive
  • Removable drive
  • Network drive
• It displays its execution log and encryption progress in console.
  
• It does not append extension on encrypted files.
• It has the capability to propagate on network shares by logging in pre-defined credentials included on the malware configuration.

It does not proceed to its malicious routine if it detects that it is being debugged.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• desktop.ini
• ntuser.dat
• thumbs.db
• iconcache.db
• ntuser.ini
• ntldr
• bootfont.bin
• ntuser.dat.log
• bootsect.bak
• boot.ini
• autorun.inf

It avoids encrypting files found in the following folders:

• msocache
• $windows.~ws
• system volume information
• perflogs
• programdata
• program files (x86)
• program files
• $windows.~bt
• windows
• windows.old
• boot