Ransom.Win64.QUANTUMLOCKER.B

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Malware Path}\.log → Contains logs and System information
• %User Temp%\{Random numbers}.bat → Used to delete itself

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

• "%User Temp%\{random characters}.bat"

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USERS\Software\Classes\
.quantum\shell\Open\
command
(Default) = explorer.exe {Ransom note} →displays the ransom note when an encrypted file is opened.

Process Termination

This Ransomware terminates the following services if found on the affected system:

• SQL
• database
• msexchange

It terminates the following processes if found running in the affected system's memory:

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• sqlservr.exe
• encsvc.exe
• ocautoupds.exe
• mydesktopservice.exe
• firefoxconfig.exe
• tbirdconfig.exe
• mydesktopqos.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• sqlservr.exe
• thebat.exe
• steam.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe
• QBW32.exe
• QBW64.exe
• ipython.exe
• wpython.exe
• python.exe
• dumpcap.exe
• procmon.exe
• procmon64.exe
• procexp.exe
• procexp64.exe

Information Theft

This Ransomware gathers the following data:

• Core count
• Total memory size
• Operating system information (e.g. version, architecture)
• Computer name
• User name
• Flag to indicate if executed as administrator
• Domain and group into which the machine is included

Other Details

This Ransomware does the following:

• It propagates in the network via LDAP domain query in Active Directories and drops copies of itself as:
  • \C$\ProgramData\{Malware File Name}.exe
• It propagates to the following file paths if found for higher privilege execution:
  • \ADMIN$
  • \IPC$
• It installs the following services in its propagation routine if the /NETWORK argument provided is s:
  • Update{random characters}

It accepts the following parameters:

• /LOGIN= → specify network username for propagation
• /PASSWORD= → specify network password for propagation
• /CONSOLE → display log activities through console
  
• /NODEL → disable self-deletion
• /NOKILL → disable service and process termination
• /NOLOG → disable file logging
• /SHAREALL → encrypt all shared resources
• /NETWORK → encrypt all shared resources
  • -w → launches the executable on remote host via Windows Management Instrumentation (WMI)
  • -s → launches the executable on remote host via service
• /PARAMS= → specify command line parameters for launching on other machines
• /TARGET= → specify a path to a file or a directory to encrypt
• /FAST= → specify buffer size for fast encryption
• /MIN= → specify minimum file size to encrypt
• /MAX= → specify maximum file size to encrypt
• /FULLPD → enable encryption in Program Files, Program Files (x86), ProgramData, and SQL
• /MARKER= → specify an infection marker file name to drop in each encrypted drive
• /NOLOCK= → specify drives to avoid encrypting
  • -L → Local
  • -N → Network
  • -S → Network shared resources

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• \autorun.inf
• \boot.ini
• \bootfont.bin
• \bootsect.bak
• \bootmgr
• \bootmgr.efi
• \bootmgfw.efi
• \iconcache.db
• \desktop.ini
• \ntldr
• \ntuser.dat
• \ntuser.dat.log
• \ntuser.ini
• \thumbs.db

It avoids encrypting files with the following strings in their file path:

• :\Windows\
• :\System Volume Information\
• :\$Recycle.bin\
• :\System.sav\
• :\winnt
• :\$Windows.~bt\
• :\Windows.old\
• :\PerfLog\
• :\PerfLogs\
• :\Program Files\
• :\Program Files (x86)\
• :\Boot
• :\ProgramData\Microsoft\
• :\ProgramData\Packages\
• :\EFI
• :\ProgramData
• $\Windows\
• $\System Volume Information\
• $\$Recycle.bin\
• $\System.sav\
• $\winnt
• $\$Windows.~bt\
• $\Windows.old\
• $\PerfLog\
• $\PerfLogs\
• $\Program Files\
• $\Program Files (x86)\
• $\Boot
• $\ProgramData\Microsoft\
• $\ProgramData\Packages\
• $\EFI
• $\ProgramData
• \WindowsApps\
• \Microsoft\Windows\
• \Local\Packages\
• \Windows Defender
• \microsoft shared\
• \Google\Chrome\
• \Mozilla Firefox\
• \Mozilla\Firefox\
• \Internet Explorer\
• \MicrosoftEdge\
• \Tor Browser\
• \AppData\Local\Temp\
• \AppData
• \All Users
• \Boot
• \Google
• \Mozilla

It appends the following extension to the file name of the encrypted files:

• .quantum

It drops the following file(s) as ransom note:

• {Encrypted directory}\README_TO_DECRYPT.html
  

It avoids encrypting files with the following file extensions:

• exe
• dll
• sys
• msi
• mui
• inf
• cat
• bat
• cmd
• ps1
• vbs
• ttf
• fon
• lnk