Ransom.Win64.CICADA.YXEHE

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Public%\psexec0.exe
• %Public%\{Malware File Name} → Copy of itself
• %Public%\{10 Random Characters}.bat → Deleted Afterward

(Note: %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It adds the following processes:

• cmd /C %Public%\{10 Random Characters}.bat
• cmd /C fsutil behavior set SymlinkEvaluation R2L:1
• cmd /C fsutil behavior set SymlinkEvaluation R2R:1
• cmd /C iisreset.exe /stop
• cmd /C vssadmin.exe Delete Shadows /all /quiet
• cmd /C wmic.exe Shadowcopy Delete
• cmd /C bcdedit /set {default}
• cmd /C bcdedit /set {default} recoveryenabled No
• cmd /C “for /F 'tokens=*' %1 in ('wevtutil.exe el') DO wevtutil.exe cl %1”
• cmd /C reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
• cmd /C sc stop {service}
• cmd /C taskkill /IM {process}* /F

(Note: %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• via net stop /y:
  • WSearch
  • MSExchangeIS
  • MSExchangeSA
  • MSExchangeADTopology
  • wuauserv
  • eventlog
  • MSSQLSERVER
  • SQLSERVERAGENT
  • SQLBrowser
  • MSSQLServerOLAPService
  • ReportServer
  • MsDtsServer
  • SQLWriter

It terminates the following processes if found running in the affected system's memory:

• via taskkill /F /IM:
  • agntsvc
  • dbeng50
  • dbsnmp
  • encsvc
  • excel
  • firefox
  • infopath
  • isqlplussvc
  • msaccess
  • mspub
  • mydesktopq
  • mydesktopservic
  • notepad
  • ocautoupds
  • ocomm
  • ocssd
  • onenote
  • oracle
  • outlook
  • powerpnt
  • sqbcoreservic
  • steam
  • synctime
  • tbirdconfig
  • thebat
  • thunderbird
  • visio
  • winword
  • wordpad
  • xfssvccon
  • *sql*
  • bedbh
  • vxmon
  • benetns
  • bengien
  • pvlsvr
  • beserver
  • raw_agent_svc
  • vsnapvss
  • CagService
  • QBCFMonitorSe
  • TeamViewer_Service
  • TeamViewertv_w32
  • tv_x64
  • CVMountd
  • cvd
  • cvfwd
  • CVODS
  • saphostexe
  • saposcol
  • sapstartsrv
  • avagent
  • avscc
  • DellSystem
  • EnterpriseClient
  • VeeamNFSSVc
  • VeeamTransportSvc
  • VeeamDeploymentSvc

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

• \$Windows.~WS
• \$windows.~ws
• \$WINDOWS.~WS
• \$windows.~bt
• \$Windows.~BT
• \$WINDOWS.~BT
• \Windows.old
• \NTUSER.DAT
• \ntuser.dat
• \autorun.inf
• \boot.ini
• \desktop.ini
• \system volume information
• \Boot
• \DumpStack.log.tmp
• \PerfLogs
• \Users\
• \Microsoft_Corporation\
• \AppData\Local\Microsoft\GameDVR
• \AppData\Local\Packages\Microsoft
• \AppData\

It appends the following extension to the file name of the encrypted files:

• {Original file name}.{Original extension}.tu5s6r

It drops the following file(s) as ransom note:

• {Encrypted Directory}\RECOVER-jtu5s6r-DATA.txt
  

It avoids encrypting files with the following file extensions:

• .exe
• .EXE
• .DLL
• .ini
• .inf
• .pol
• .cmd
• .ps1
• .vbs
• .bat
• .pagefile.sys
• .hiberfil.sys
• .drv
• .msc
• .dll
• .lock
• .sys
• .msu
• .lnk
• .search-ms
• .config