Ransom.Win32.OUTSIDER.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes itself after execution.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Application Data%\_uninstalling_.png -> contains rsa1 key generated for encryption

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%System%\vssadmin.exe delete shadows /all /quiet"
• "%System%\cmd.exe /c bcedit /set {current} bootstatuspolicy ignoreallfailures"
• "%System%\cmd.exe /c bcedit /set {current} recoveryenabled no"
• "%System%\cmd.exe netsh advfirewall set allprofiles state off"
• "%System%\cmd.exe" /c timeout 1 && del "{malware filename}"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• mydesktopqos.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exe
• agntsvc.exe
• agntsvc.exe
• encsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• sqlbrowser.exe
• sqlservr.exe
• TNSLSNR.EXE
• mysqld.exe
• MsDtsSrvr.exe
• sqlceip.exe
• msmdsrv.exe
• mpdwsvc.exe
• fdlauncher.exe
• Launchpad.exe
• chrome.exe
• oracle.exe
• devenv.exe
• PerfWatson2.exe
• ServiceHub.Host.Node.x86.exe
• Node.exe
• Microsoft.VisualStudio.Web.Host.exe
• Lightshot.exe
• netbeans64.exe
• spnsrvnt.exe
• sntlsrtsrvr.exe
• w3wp.exe
• TeamViewer_Service.exe
• TeamViewer.exe
• SecomSDK.exe
• schedul2.exe
• schedhlp.exe
• adm_tray.exe
• EXCEL.EXE
• MSACCESS.EXE
• OUTLOOK.EXE
• POWERPNT.EXE
• AnyDesk.exe
• Microsoft.SqlServer.IntegrationServices.MasterServiceHost.exe
• Microsoft.SqlServer.IntegrationServices.WorkerAgentServiceHost.exe

Other Details

This Ransomware does the following:

• Recursively encrypts network resources
• Avoids encrypting machines with the following language locales:
  • Kazakh
  • Belarusian
  • Tajik
  • Azeri - Latin
  • Kyrgyz - Cyrillic
  • Tatar
  • Azeri - Cyrillic
  • Armenian

It deletes itself after execution.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• #Decryption#.txt
• _uninstalling_.png

It avoids encrypting files with the following strings in their file path:

• Windows

It appends the following extension to the file name of the encrypted files:

• horsedeal

It drops the following file(s) as ransom note:

• {Infected folder}\#Decryption#.txt
  
• %User Temp%\{random temp name}.jpg