Ransom.Win64.PAYLOADBIN.YXBFGT

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %Application Data%\{Generated Name 1}\{Generated Name 2}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• If ran without arguments and with administrator rights:
  • %Application Data%\{Generated Name 1}\{Generated Name 2} /go
• If ran without arguments and without administrator rights:
  • %System%\osk.exe
  • %Application Data%\{Generated Name 1}\{Generated Name 2} /uac
  • %System%\msconfig.exe -5
  • wmic process call create %Application Data%\{Generated Name 1}\{Generated Name 2}
• cmd /c waitfor /t 10 pause /d y & del "%Application Data%\{Generated Name 1}\{Generated Name 2}" & rd "%Application Data%\{Generated Name 1}\"
• cmd /c waitfor /t 10 pause /d y & del "{Malware File Path}\{Malware Filename}" & rd "{Malware File Path}"
• vssadmin.exe Delete Shadows /All /Quiet

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It creates the following folders:

• %Application Data%\{Generated Name 1}\

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other Details

This Ransomware does the following:

• This Ransomware encrypts the following drives:
  • Removable Drives
  • Fixed Drives
  • Remote (Network) Drives
• {Generated Name 1} and {Generated Name 2} are chosen from the substrings found in the list of subkeys of the registry key SOFTWARE\Microsoft\

It accepts the following parameters:

• /go → Start Encryption Routines
• /uac → Perform UAC Bypass
• /user
• /prio
• /path {Directory Path to Encrypt}

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• \BOOTMGR
• \GRLDR
• \NTLDR

It avoids encrypting files with the following strings in their file path:

• \bin\
• \Boot\
• \boot\
• \dev\
• \etc\
• \lib\
• \initdr\
• \sbin\
• \sys\
• \vmlinuz\
• \run\
• \var\
• \System Volume Information\
• \$RECYCLE.BIN\
• \WebCache\
• \Caches\
• \WindowsApps\
• \AppData\
• \ProgramData\
• \Users\All Users\

It avoids encrypting files found in the following folders:

• %Windows%
• %Application Data%
• %User Temp%
• %All Users Profile%
• %System Root%\Recovery\
• %Program Files%

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %All Users Profile% is the common user's profile folder, which is usually C:\Documents and Settings\All Users on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit). . %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000(32-bit), Server 2003(32-bit), XP, Vista(64-bit), 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit) , or C:\Program Files (x86) in Windows XP(64-bit), Vista(64-bit), 7(64-bit), 8(64-bit), 8.1(64-bit), 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It renames encrypted files using the following names:

• {Original Filename}.{Original Extension}.PAYLOADBIN

It drops the following file(s) as ransom note:

• {Encrypted Directory}\PAYLOADBIN-README.txt
  

It avoids encrypting files with the following file extensions:

• .386
• .adv
• .bat
• .bin
• .cab
• .cmd
• .com
• .cpl
• .dat
• .dll
• .drv
• .exe
• .hlp
• .hta
• .icl
• .idx
• .ini
• .key
• .lnk
• .mod
• .msc
• .msi
• .msp
• .msu
• .nls
• .ocx
• .PAYLOADBIN
• .ps1
• .rom
• .rtp
• .scr
• .sdi
• .shs
• .sys
• .wim
• .wpx