Ransom.Win64.TRIGONA.B

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• %System%\cmd.exe /c\"bcdedit /set{default} recoveryenabled No\"
• %System%\cmd.exe /c\"bcdedit /set {default} bootstatuspolicy ignoreallfailures\"
• %System%\cmd.exe /c\"wbadmin DELETE BACKUP -keepVersions:0\"
• %System%\cmd.exe /c\"wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0\"
• %System%\cmd.exe /c\"wmic SHADOWCOPY DELETE\"
• %System%\cmd.exe /c\"vssadmin delete shadows /all /quiet\"
• %System%\mshta.exe %User Temp%\how_to_decrypt.hta

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• {Generated ID} → Derived from computer name and creation time of %Windows%

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

Information Theft

This Ransomware gathers the following data:

• Computer Name
• Username
• OS Version
• System Locale
• Keyboard Layout
• Disk Data
• Network Configuration Information

Other Details

This Ransomware does the following:

• By default, It encrypt local drives and network drives
• It displays its ransom note after encryption
• It loads its configuration found in its resource section named CFGS.
• It checks for the presence of the following file that serves as its configuration file:
  • cfgs.txt
• It encrypts the information it gathers and stores it in the authentication key required during the negotiation procedures to retrieve files
• It can terminate processes and services based on the configuration.

It accepts the following parameters:

• /r → encrypt files in random order
• /sleep → sleep for n seconds before execution
• /full → encrypt the whole contents of a file (by default, only the first 0x80000 bytes/512kb are encrypted)
• /debug → execute in debug mode, need to be executed with /p
• /log_f → for logging, specify the log file
• /fast
• /erase → delete contents of a file
• /is_testing → for testing purposes, used with /test_cid and /test_vid
• /test_cid → Use the specified value instead of generating a computer ID
• /test_vid → Use the specified value instead of the hardcoded victim ID (VID) from the configuration
• /p → specify path to encrypt
• /path → specify path to encrypt
• /!local → Do not encrypt local files
• /!lan → Do not encrypt network shares
• /shdwn → Turn off the machine after encryption using the parameter -f -s -t 00
• /allow_system → Allows encrypting files in system directory
• /!clear_shadow → Do not delete shadow copies
• /wipe
• /block
• /step
• /band_start
• /!prerename → Do not rename files before encryption
• /delete → Deletes itself after execution
• /priority → Sets encryption priority
• /clear_exclude
• /ips
• /stealth → Do not rename encrypted files, needs to be executed with /p
• /e

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• how_to_decrypt.hta
• how_to_decrypt.txt
• NTUSER.DAT

It avoids encrypting files with the following strings in their file path:

• windows
• system32

It renames encrypted files using the following names:

• available_for_trial.{random}._locked
• {random}._locked

It drops the following file(s) as ransom note:

• %User Temp%\how_to_decrypt.hta
• {Encrypted Directory}\how_to_decrypt.hta