Ransom.Win64.RAWLD.THAAFBE

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• %Temp%\Ra_Lock.exe
• {Malware Path}\.Ra_Lock → lock file used as a marker before encrypting the system

(Note: %Temp% is the Windows temporary folder, where it usually is C:\Windows\Temp on all Windows operating system versions.)

It adds the following processes:

• Clears and terminates event logs:
  • powershell -Command "Get-WmiObject -Class win32_service -Filter \"name = 'eventlog'\" | select -exp ProcessId"
  • cmd -Command "/c start taskkill /f /pid {Event Log PID}
  • cmd -Command "/c start wevtutil cl Application"
  • cmd -Command "/c start wevtutil cl system"
  • cmd -Command "/c start wevtutil cl security"
  • cmd -Command "/c start wevtutil cl setup"
• Deletes shadow copies and other system backups:
  • cmd -Command "/c start vssadmin delete shadows /all /quiet"
  • cmd -Command "/c start wmic shadowcopy delete /nointeractive"
  • cmd -Command "/c start wmic SHADOWCOPY /nointeractive"
  • cmd -Command "/c start wbadmin delete catalog -quiet"
  • cmd -Command "/c start wbadmin DELETE SYSTEMSTATEBACKUP"
• Disables recovery mode and safe mode after boot:
  • cmd -Command "/c start bcdedit /set {default} bootstatuspolicy ignoreallfailures"
  • cmd -Command "/c start bcdedit /set {default} recoveryenabled no"
  • cmd -Command "/c start bcdedit /set {default} recoveryenabled No"
  • cmd -Command "/c bcdedit /deletevalue {default} safeboot"
• Deletes traces of itself and reboots the system after 10 seconds:
  • cmd -Command "/c del C:\Windows\Temp\Team_update.exe && cmd /c del C:\Windows\Temp\.Ra_Lock"
  • cmd -Command "/c start shutdown -r -f -t 10"
  • cmd /C timeout /T 3 & del {Malware Path}\{Malware Filename}

It executes then deletes itself afterward.

Process Termination

This Ransomware terminates the following services if found on the affected system:

• AcronisAgent
• AcrSch2Svc
• BackExecRPCService
• backup
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• BackupExecVSSProvider
• bedbg
• CAARCUpdateSvc
• CASAD2DWebSvc
• ccEvtMgr
• ccSetMgr
• Culserver
• dbeng8
• DefWatch
• GxBlr
• GxCIMgr
• GxCVD
• GxFWD
• GxVss
• Intuit.QuickBooks.FCS
• memtas
• mepocs
• MpsSvc
• MsDtsServer150
• MSExchange
• msftesql-Exchange
• msmdsrv
• MSSQL
• MSSQLFDLauncher
• MSSQLLaunchpad
• MSSQLSERVER
• MSSQLServerOLAPService
• PDVFSService
• QBCFMonitorService
• QBFCService
• QBIDPService
• RTVscan
• SavRoam
• sophos
• sql
• sqladhlp
• SQLADHLP
• sqlagent
• SQLAgent
• SQLAgent$SHAREPOINT
• SQLBrowser
• SQLPBDMS
• SQLPBENGINE
• SQLSERVERAGENT
• SQLServerDistributedReplayClient
• SQLServerDistributedReplayController
• SQLTELEMETRY
• SQLWriter
• SSASTELEMETRY
• SSISScaleOutMaster150
• SSISScaleOutWorker150
• SSISTELEMETRY150
• stc_raw_agent
• svc$
• tomcat6
• veeam
• VeeamDeploymentService
• VeeamNFSSvc
• VeeamTransportSvc
• vmware-converter
• vmware-usbarbitator64
• VSNAPVSS
• vss
• WSBExchange
• wuauserv
• YooBackup
• YooIT
• zhudongfangyu

It terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• Culture.exe
• dbeng50.exe
• dbsnmp.exe
• dbsrv12.exe
• Defwatch.exe
• encsvc.exe
• excel.exe
• firefox.exe
• httpd.exe
• infopath.exe
• isqlplussvc.exe
• msaccess.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• notepad.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• powerpnt.exe
• RAgui.exe
• sqbcoreservice.exe
• sql.exe
• sqlbrowser.exe
• sqlmangr.exe
• Sqlservr.exe
• steam.exe
• supervise.exe
• synctime.exe
• tbirdconfig.exe
• thebat.exe
• thunderbird.exe
• tomcat6.exe
• visio.exe
• vxmon.exe
• WinSAT.exe
• winword.exe
• wordpad.exe
• wrapper.exe
• wsa_service.exe
• wxServer.exe
• wxServerView.exe
• xfssvccon.exe

Other Details

This Ransomware does the following:

• It encrypts all available drives except for CD-ROMs.
• It logs its status of activity in the console:
  

It deletes the following files to remove its traces in the system:

• C:\Windows\Temp\Team_update.exe
• C:\Windows\Temp\.Ra_Lock
• {Malware Path}\{Malware Filename}

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• autorun.inf
• boot.ini
• bootfont.bin
• bootmgfw.efi
• bootmgr
• bootmgr.efi
• desktop.ini
• iconcache.db
• ntuser.dat
• NTUSER.DAT
• ntuser.ini
• pagefile.sys
• thumbs.db

It avoids encrypting files found in the following folders:

• #recycle
• $Recycle.Bin
• $windows.~bt
• All Users
• AppData
• Boot
• bootmgr
• Google
• inte
• Internet Explorer
• Mozilla
• Mozilla Firefox
• msocache
• ntldr
• ntuser.dat
• NTUSER.DAT
• Opera
• Opera Software
• perflogs
• Program Files
• Program Files (x86)
• ProgramData
• system volume information
• System32
• SYSVOL
• Tor Browser
• Windows

It appends the following extension to the file name of the encrypted files:

• .Ra_Lock

It drops the following file(s) as ransom note:

• {Encrypted Path}\README_Howtorecover.txt
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .iso
• .Ra_Lock