Ransom.Win32.PAYNOOSE.THBOEBD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops and executes the following files:

• %Application Data%\svchost.exe → Executed with Escalated Privileges

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• %System%\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
• %System%\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
• %System%\cmd.exe" /C wbadmin delete catalog -quiet
• %System%\NOTEPAD.EXE" %Application Data%\OPEN_THIS.txt
• %Application Data%\svchost.exe

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Autostart Technique

This Ransomware drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• %Start Menu%\Programs\Startup\svchost.url

(Note: %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Propagation

This Ransomware drops the following copy of itself in all physical and removable drives:

• {Drive Letter}:\Sexy_porn.exe → Excluding drive C:\

Other Details

This Ransomware does the following:

• In Drive C, it will only encrypt the following directories:
  • %User Profile%\Desktop
  • %User Profile%\Links
  • %User Profile%\Contacts
  • %User Profile%\Desktop
  • %User Profile%\Documents
  • %User Profile%\Downloads
  • %User Profile%\Pictures
  • %User Profile%\Music
  • %User Profile%\OneDrive
  • %User Profile%\Saved Games
  • %User Profile%\Favorites
  • %User Profile%\Searches
  • %User Profile%\Videos
  • %User Profile%\AppData\Roaming
  • %Public%\Documents
  • %Public%\Pictures
  • %Public%\Music
  • %Public%\Videos
  • %Public%\Desktop
• Attempts to change desktop background using the following file:
  • %User Temp%\{Random 9 characters}.jpg

(Note: %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .txt
• .jar
• .dat
• .contact
• .settings
• .doc
• .docx
• .xls
• .xlsx
• .ppt
• .pptx
• .odt
• .jpg
• .mka
• .mhtml
• .oqy
• .png
• .csv
• .py
• .sql
• .mdb
• .php
• .asp
• .aspx
• .html
• .htm
• .xml
• .psd
• .pdf
• .xla
• .cub
• .dae
• .indd
• .cs
• .mp3
• .mp4
• .dwg
• .zip
• .rar
• .mov
• .rtf
• .bmp
• .mkv
• .avi
• .apk
• .lnk
• .dib
• .dic
• .dif
• .divx
• .iso
• .7zip
• .ace
• .arj
• .bz2
• .cab
• .gzip
• .lzh
• .tar
• .jpeg
• .xz
• .mpeg
• .torrent
• .mpg
• .core
• .pdb
• .ico
• .pas
• .db
• .wmv
• .swf
• .cer
• .bak
• .backup
• .accdb
• .bay
• .p7c
• .exif
• .vss
• .raw
• .m4a
• .wma
• .flv
• .sie
• .sum
• .ibank
• .wallet
• .css
• .js
• .rb
• .crt
• .xlsm
• .xlsb
• .7z
• .cpp
• .java
• .jpe
• .ini
• .blob
• .wps
• .docm
• .wav
• .3gp
• .webm
• .m4v
• .amv
• .m4p
• .svg
• .ods
• .bk
• .vdi
• .vmdk
• .onepkg
• .accde
• .jsp
• .json
• .gif
• .log
• .gz
• .config
• .vb
• .m1v
• .sln
• .pst
• .obj
• .xlam
• .djvu
• .inc
• .cvs
• .dbf
• .tbi
• .wpd
• .dot
• .dotx
• .xltx
• .pptm
• .potx
• .potm
• .pot
• .xlw
• .xps
• .xsd
• .xsf
• .xsl
• .kmz
• .accdr
• .stm
• .accdt
• .ppam
• .pps
• .ppsm
• .1cd
• .3ds
• .3fr
• .3g2
• .accda
• .accdc
• .accdw
• .adp
• .ai
• .ai3
• .ai4
• .ai5
• .ai6
• .ai7
• .ai8
• .arw
• .ascx
• .asm
• .asmx
• .avs
• .bin
• .cfm
• .dbx
• .dcm
• .dcr
• .pict
• .rgbe
• .dwt
• .f4v
• .exr
• .kwm
• .max
• .mda
• .mde
• .mdf
• .mdw
• .mht
• .mpv
• .msg
• .myi
• .nef
• .odc
• .geo
• .swift
• .odm
• .odp
• .oft
• .orf
• .pfx
• .p12
• .pl
• .pls
• .safe
• .tab
• .vbs
• .xlk
• .xlm
• .xlt
• .xltm
• .svgz
• .slk
• .tar.gz
• .dmg
• .ps
• .psb
• .tif
• .rss
• .key
• .vob
• .epsp
• .dc3
• .iff
• .onepkg
• .onetoc2
• .opt
• .p7b
• .pam
• .r3d

It appends the following extension to the file name of the encrypted files:

• .NOOSE

It drops the following file(s) as ransom note:

• {Encrypted Directory}\OPEN_THIS.txt