Ransom_AMNESIA.G
DeepScan:Generic.Ransom.Amnesia.F42DEF8A (Bitdefender), Trj/RansomCrypt.D (Panda)
Windows
Threat Type: Ransomware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It is capable of encrypting files in the affected system.
TECHNICAL DETAILS
Arrival Details
This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Ransomware drops the following files:
- %User Temp%\{GUID}.bat
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following copies of itself into the affected system:
- %Application Data%\Ghrome.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It adds the following processes:
- %System%\cmd.exe /c vssadmin Delete Shadows /for=C: /All
- %System%\cmd.exe /c vssadmin Delete Shadows /for=D: /All
- %System%\cmd.exe /c vssadmin Delete Shadows /for=E: /All
- %System%\cmd.exe /c vssadmin Delete Shadows /for=F: /All
- %System%\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0
- %System%\cmd.exe /c wmic SHADOWCOPY DELETE
- %System%\cmd.exe /c vssadmin Delete Shadows /All /Quiet
- %System%\cmd.exe /c bcdedit /set {default} recoveryenabled No
- %System%\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
It leaves text files that serve as ransom notes containing the following:
- {encrypted file path}\HOW TO RECOVER ENCRYPTED FILES.TXT
Autostart Technique
This Ransomware adds the following registry entries to enable its automatic execution at every system startup:
HKCU\Software\Microsoft\
Windows\CurrentVersion\RunOnce
{B5135AD2-D7D9-FFDC-0A8E-143026FB1938} = %Application Data%\Ghrome.exe
Other System Modifications
This Ransomware adds the following registry keys:
HKCU\Software\{B5135AD2-D7D9-FFDC-0A8E-143026FB1938}
It modifies the Internet Explorer Privacy Settings.
Other Details
This Ransomware is capable of encrypting files in the affected system.