Ransom.Win64.HIVE.YPCBL

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Drive Letter}\{Random String 1}_.key.{Random String 3}

It adds the following processes:

• net.exe stop "NetMsmqActivator" /y
• net.exe stop "SamSs" /y
• net.exe stop "SDRSVC" /y
• net.exe stop "SstpSvc" /y
• net.exe stop "UI0Detect" /y
• net.exe stop "vmvss" /y
• net.exe stop "VMware Physical Disk Helper Service" /y
• net.exe stop "VMwareCAFCommAmqpListener" /y
• net.exe stop "VMwareCAFManagementAgentHost" /y
• net.exe stop "VSS" /y
• net.exe stop "wbengine" /y
• net.exe stop "WebClient" /y
• sc.exe config "NetMsmqActivator" start= disabled
• sc.exe config "SamSs" start= disabled
• sc.exe config "SDRSVC" start= disabled
• sc.exe config "SstpSvc" start= disabled
• sc.exe config "UI0Detect" start= disabled
• sc.exe config "vmvss" start= disabled
• sc.exe config "VMware Physical Disk Helper Service" start= disabled
• sc.exe config "VMwareCAFCommAmqpListener" start= disabled
• sc.exe config "VMwareCAFManagementAgentHost" start= disabled
• sc.exe config "VSS" start= disabled
• sc.exe config "wbengine" start= disabled
• sc.exe config "WebClient" start= disabled
• reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
• reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
• schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
• schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
• reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
• reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
• reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
• reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
• reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
• reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
• reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
• vssadmin.exe delete shadows /all /quiet
• wevtutil.exe cl system
• wevtutil.exe cl security
• wevtutil.exe cl application
• wmic.exe SHADOWCOPY /nointeractive
• wmic.exe shadowcopy delete
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• bcdedit.exe /set {default} recoveryenabled no
• cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
• cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
• cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
• notepad.exe {Drive Letter}\{Random}_HOW_TO_DECRYPT.txt
• cmd.exe /D /C ping.exe -n 5 127.0.0.1 && del "{Malware path and name}"

Process Termination

This Ransomware terminates the following services if found on the affected system:

• acronis
• AcrSch2Svc
• Antivirus
• ARSM
• AVP
• backup
• bedbg
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• Culserver
• dbeng8
• dbsrv12
• DCAgent
• DefWatch
• EhttpSrv
• ekrn
• Enterprise Client Service
• EPSecurityService
• EPUpdateService
• EraserSvc11710
• EsgShKernel
• ESHASRV
• FA_Scheduler
• firebird
• IISAdmin
• IMAP4Svc
• Intuit
• KAVFS
• KAVFSGT
• kavfsslp
• klnagent
• macmnsvc
• masvc
• MBAMService
• MBEndpointAgent
• McAfee
• McShield
• McTaskManager
• memtas
• mepocs
• mfefire
• mfemms
• mfevtp
• MMS
• MsDtsServer
• MsDtsServer100
• MsDtsServer110
• msexchange
• msmdsrv
• MSOLAP
• MVArmor
• MVarmor64
• NetMsmqActivator
• ntrtscan
• oracle
• PDVFSService
• POP3Svc
• postgres
• QBCFMonitorService
• QBFCService
• QBIDPService
• redis
• report
• RESvc
• RTVscan
• sacsvr
• SamSs
• SAVAdminService
• SavRoam
• SAVService
• SDRSVC
• SepMasterService
• ShMonitor
• Smcinst
• SmcService
• SMTPSvc
• SNAC
• SntpService
• sophos
• sql
• SstpSvc
• stc_raw_agent
• ^svc
• swi_
• Symantec
• TmCCSF
• tmlisten
• tomcat
• TrueKey
• UI0Detect
• veeam
• vmware
• vss
• W3Svc
• wbengine
• WebClient
• wrapper
• WRSVC
• WSBExchange
• YooIT
• zhudongfangyu
• Zoolz

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• sql
• CNTAoSMgr
• dbeng50
• dbsnmp
• encsvc
• excel
• firefoxconfig
• infopath
• mbamtray
• msaccess
• mspub
• mydesktop
• Ntrtscan
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• PccNTMon
• powerpnt
• sqbcoreservice
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• tmlisten
• visio
• word
• xfssvccon
• zoolz

Other Details

This Ransomware does the following:

• Accepts the following arguments:
  
  • -skip=[FILE_REGEX] - Regular expression for files excluded from encryption.
  • -stop=[SVC_REGEX] - Regular expression for stopping system services.
  • -kill=[PROC_REGEX] - Regular expression for the names of system services to be stopped.
  • -grant - Change permissions for all files: icacls.exe "[XX]:\*" /grant Everyone:F /T /C /Q
  • -no-wipe - Do not wipe empty disk space with random data.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• bootfont.bin
• boot.ini
• bootsect.bak
• desktop.ini
• iconcache.db
• ntldr
• ntuser.dat
• ntuser.dat.log
• ntuser.ini
• thumbs.db

It avoids encrypting files found in the following folders:

• C:\Windows
• $recycle.bin
• $windows.~bt
• $windows.~ws
• All users
• appdata
• application data
• boot
• google
• intel
• Microsoft
• mozilla
• Mozilla
• Msbuild
• msocache
• perflogs
• system volume information
• tor browser
• windows
• Windows nt
• windows.old
• $\Windows\
• \ADMIN\$
• \IPC\$

It appends the following extension to the file name of the encrypted files:

• .{Random String 1}__{Random String 2}.k7bzc

It drops the following file(s) as ransom note:

• {Encrypted Directory}\28EF_HOW_TO_DECRYPT.txt
  

It avoids encrypting files with the following file extensions:

• 386
• adv
• ani
• bat
• bin
• cab
• cmd
• com
• cpl
• cur
• deskthemepack
• diagcab
• diagcfg
• diagpkg
• dll
• drv
• exe
• hlp
• hrmlog
• hta
• icl
• icns
• ico
• ics
• idx
• ini
• key
• lnk
• lock
• log
• mod
• mpa
• mp3
• msc
• msi
• msp
• msstyles
• msu
• nls
• nomedia
• ocx
• prf
• ps1
• rom
• rtp
• scr
• shs
• spl
• sys
• theme
• themepack
• url
• wpx