Ransom.Win64.ENAMON.THACABD

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware File Path}\note.txt → deleted afterwards
• {Malware File Path}\ext.txt → deleted afterwards
• {Malware File Path}\SelfDelete.bat → used to delete itself
• {Encrypted File Path}\DECRYPTION_IDS.TXT→ contains decryption IDs

It adds the following processes:

• "%System%\cmd.exe\" /C "{Malware File Path}\SelfDelete.bat"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• 105.5.5195.102_104.0.5112.81_chrome_updater.exe
• applicationframehost.exe
• audiodg.exe
• dashost.exe
• dllhost.exe
• fiddler.exe
• googlecrashhandler.exe
• googlecrashhandler64.exe
• googleupdate.exe
• microsoftedgeupdate.exe
• mpcmdrun.exe
• msascui.exe
• mscorsvw.exe
• nissrv.exe
• onedrive.exe
• plugin_host.exe
• processhacker.exe
• procmon.exe
• procmon64.exe
• ptsessionagent.exe
• ptwatchdog.exe
• searchindexer.exe
• setup.exe
• sublime_text.exe
• sysmon64.exe
• tabtip.exe
• tabtip32.exe
• taskeng.exe
• tcplogview.exe
• uiwatchdog.exe
• vdisk.exe
• vmacthelp.exe
• vm3dservice.exe
• vserver.exe

Other Details

This Ransomware does the following:

• Empties the Recycle Bin
• It displays the following GUI:
  • Actions → allows user to:
    • Terminate predefined processes.
    • Empty the Recycle Bin.
    • Select and search drives and folders for files to be encrypted.
    • Stop searching drives and folders for files to be encrypted.
    • Select encryption mode: FASTEST, FAST, SLOW, FULL.
    • Select if found files based on specifications set in the Criteria tab will be displayed.
    • Select whether to allow multithreaded encryption or not.
    • List found files based on specifications set in the Criteria tab.
    • Clear the list of found files based on specifications set in the Criteria tab.
    • Encrypt or erase found files based on specifications set in the Criteria tab.
    • Select if ransom note is to be dropped.
    • Delete the malware file after encryption or when the GUI is closed.
    • Hide the GUI.
    • Generate/Set WorkID for the ransom note.
    • Set a virtual key.
      
      
  • Criteria → allows user to:
    • Specify file extensions that will be encrypted.
    • Specify file extensions, file paths, and file names that will not be encrypted.
  
  
  
  • Note → allows user to:
    • Modify the contents of the ransom note to be dropped.
    • Save the contents of the ransom note as {Malware File path}\note.txt.
  
  
  
  • Log → allows user to:
    • View logs of the malware.
    
    
    

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .0001
• .001
• .002
• .003
• .004
• .005
• .006
• .007
• .008
• .3dm
• .3dmbak
• .3ds
• .7z
• ._ms
• .a01
• .a02
• .a03
• .a06
• .accdb
• .adm
• .afi
• .ai
• .alt
• .arc
• .archive
• .ard
• .asm
• .avhdx
• .avi
• .b1
• .bac
• .backup
• .bak
• .bck
• .bco
• .bdmp
• .bi4
• .bik
• .bkf
• .bkp
• .bkup
• .blend
• .box
• .bpf
• .btr
• .bup
• .cbd
• .cbu
• .cdr
• .cdx
• .cfgbak
• .cgd
• .couch
• .csv
• .ctf
• .d0
• .d1
• .d2
• .d3
• .d4
• .da1
• .da2
• .da3
• .da4
• .danger
• .dat
• .db
• .db1
• .db2
• .dbc
• .dbdmp
• .dbf
• .dbs
• .dbw
• .df
• .dft
• .dmp
• .doc
• .docx
• .dwg
• .dxf
• .dxt5_2d
• .ebk
• .edb
• .edp
• .elg
• .eml
• .encvrt
• .fbf
• .fbk
• .fbw
• .fdb
• .fmp12
• .fp5
• .fp7
• .frm
• .ful
• .fxl
• .gan
• .gbk
• .gdb
• .gho
• .ghs
• .hbp
• .hlp
• .hrl
• .ib
• .ibd
• .idx
• .imd
• .ibdata
• .indd
• .itdb
• .iv2i
• .jet
• .jpg
• .lbl
• .ldb
• .ldf
• .llp
• .log
• .log1
• .lst
• .max
• .mdb
• .mdbx
• .mdf
• .mmo
• .mov
• .mp4
• .mrimg
• .msg
• .mtx
• .myd
• .myi
• .nb7
• .nbf
• .ndf
• .ndk
• .ndx
• .nsf
• .nsg
• .ntf
• .nx1
• .nyf
• .obk
• .oeb
• .ol2
• .old
• .one
• .ora
• .ost
• .ostx
• .ova
• .pak
• .par
• .pbd
• .pdf
• .ppt
• .pptx
• .pqb
• .psd
• .psm
• .pst
• .pstx
• .ptb
• .qba
• .qbb
• .qbm
• .qbw
• .qic
• .qrp
• .qsm
• .qvx
• .rar
• .rbf
• .rct
• .rdb
• .redo
• .rfs
• .rpd
• .rpo
• .rpt
• .rtf
• .sai
• .saj
• .seq
• .sev
• .sic
• .sko
• .skp
• .SLDASM
• .SLDDRW
• .SLDLFP
• .SLDPRT
• .sldrpt
• .slp
• .sna
• .spf
• .spl
• .sql
• .sqlaudit
• .sqlite
• .sqlite3
• .srd
• .stm
• .stp
• .tar
• .tar
• .gz
• .tga
• .tib
• .tibx
• .tif
• .tiff
• .tmp
• .trc
• .trn
• .tuf
• .upd
• .usr
• .vbk
• .vbm
• .vct
• .vcx
• .vhd
• .vhdx
• .vib
• .vix
• .vmdk
• .vmsd
• .vmsn
• .vmx
• .vmxf
• .vob
• .vrb
• .vswp
• .wt
• .xls
• .xlsm
• .xlsx
• .zip

It avoids encrypting files with the following strings in their file name:

• icudtl.dat
• mpenginedb.db
• NTUSER.dat
• NTUSER.dat.log1
• settings.dat
• thumbs.db
• unins0
• usrclass.dat
• usrclass.dat.log1
• webcachev01.dat
• windows.edb

It avoids encrypting files with the following strings in their file path:

• \Common Files\
• \Windows\
• c:\windows
• Common files

It appends the following extension to the file name of the encrypted files:

• {Encrypted File Name Encoded in Base64}.Encrypted

It drops the following file(s) as ransom note:

• {Encrypted File Path}\HOW TO RECOVERY FILES.TXT
  

It avoids encrypting files with the following file extensions:

• .bat
• .cab
• .cmd
• .com
• .dll
• .drv
• .encrypted
• .encrypting
• .encrypting.map
• .exe
• .inf
• .ini
• .msi
• .nt
• .ntfs
• .ocx
• .reg
• .sys