Ransom.Win64.DAGONLCKR.YXDGFT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware File Path}\{Malware Name}.exe.log
• {Encrypted directory}\README_TO_DECRYPT.html
• %User Temp%\{8 Random Characters}.bat → deleted after encryption

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• cmd /c ""%User Temp%\{8 Random Characters}.bat" "{Malware File Path}\{Malware File Name}""

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Process Termination

This Ransomware terminates the following services if found on the affected system:

• database
• SQL
• msexchange

It terminates the following processes if found running in the affected system's memory:

• msftesql.exe
• sqlbrowser.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• sqlservr.exe
• encsvc.exe
• ocautoupds.exe
• mydesktopservice.exe
• firefoxconfig.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• mysqld.exe
• sqlagent.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• sqlservr.exe
• thebat.exe
• steam.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• QBW32.exe
• QBW64.exe
• ipython.exe
• wpython.exe
• python.exe
• dumpcap.exe
• procmon.exe
• procmon64.exe
• procexp.exe
• procexp64.exe

Other Details

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software\Classes\
.dagoned

It does the following:

• Encrypt local and network drive
• It deletes itself after encryption
• Displays the ransom note when opening encrypted files

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootsect.bak
• bootmgr
• bootmgr.efi
• bootmgfw.efi
• iconcache.db
• desktop.ini
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db
• .dagoned
• bootmgr
• README_TO_DECRYPT.html

It avoids encrypting files found in the following folders:

• windows
• system volume Information
• $RECYCLE.BIN
• SYSTEM.SAV
• WINNT
• windows.old
• PerfLog
• PerfLogs
• Program Files
• Program Files(x86)
• Boot
• ProgramData\Microsoft
• ProgramData\Packages
• EFI
• WindowsApps
• Microsoft\Windows
• Local\Packages
• Windows Defender
• afterSentDocuments
• microsoft shared
• Google\Chrome
• Mozilla Firefox
• Mozilla\Firefox
• Internet Explorer
• MicrosoftEdge
• Tor Browser
• AppData\Local\Temp
• AppData
• All Users
• Google
• Mozilla

It appends the following extension to the file name of the encrypted files:

• .dagoned

It drops the following file(s) as ransom note:

• {Encrypted directory}\README_TO_DECRYPT.html
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• sys
• msi
• mui
• inf
• cat
• bat
• cmd
• ps1
• vbs
• ttf
• fon
• lnk
• .386