Ransom_Blocker.R020C0CJF19

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It disables Task Manager, Registry Editor, and Folder Options.

File Size: 80,375 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 16 Oct 2019

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
xk = "%Windows%\xk.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MSMSGS = "%User Profile%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ServiceAdministrator = "%User Profile%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

Other System Modifications

This Ransomware adds the following registry keys:

HKEY_CLASSES_ROOT\lnkfile\shell\
open\command

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Run
LogonAdministrator = "%User Profile%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows\CurrentVersion\
Run
System Monitoring = "%User Profile%\Local Settings\Application Data\WINDOWS\LSASS.EXE"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows NT\CurrentVersion\
Winlogon
Shell = "Explorer.exe %System%\IExplorer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows NT\CurrentVersion\
Winlogon
Userinit = "%System%\userinit.exe,%System%\IExplorer.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows NT\CurrentVersion\
AeDebug
Debugger = "%System%\Shell.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
Microsoft\Windows NT\CurrentVersion\
AeDebug
Auto = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
lnkfile\shell\open\
command
(Default) = "%System%\shell.exe %1 %*"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Installer
DisableMSI = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CabinetState
FullPathAddress = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

It modifies the following registry entries:

HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE = "%System%\Mig~mig.SCR"

(Note: The default value data of the said registry entry is %Windows%\system32\logon.scr.)

HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaverIsSecure = "0"

(Note: The default value data of the said registry entry is 0.)

HKEY_CURRENT_USER\Control Panel\Desktop
ScreenSaveTimeOut = "600"

(Note: The default value data of the said registry entry is 600.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\SafeBoot
AlternateShell = "%Windows%\xk.exe"

(Note: The default value data of the said registry entry is cmd.exe.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
exefile\shell\open\
command
(Default) = "%System%\shell.exe %1 %*"

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
piffile\shell\open\
command
(Default) = "%System%\shell.exe %1 %*"

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
batfile\shell\open\
command
(Default) = "%System%\shell.exe %1 %*"

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
comfile\shell\open\
command
(Default) = "%System%\shell.exe %1 %*"

(Note: The default value data of the said registry entry is "%1" %*.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
exefile
(Default) = "File Folder"

(Note: The default value data of the said registry entry is Application.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is 2.)

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

This report is generated via an automated analysis system.

Minimum Scan Engine: 9.850

Step 1

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Enable Registry Editor, Task Manager, and Folder options

[ Learn More ]

By doing this step, you also enable other applications/programs disabled by this malware/grayware/spyware. Screen reader support enabled.

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CLASSES_ROOT\lnkfile\shell\open
- command

In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
- System

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
- System

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT
- SystemRestore

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- xk = "%Windows%\xk.exe"

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- MSMSGS = "%User Profile%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- ServiceAdministrator = "%User Profile%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
- LogonAdministrator = "%User Profile%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
- System Monitoring = "%User Profile%\Local Settings\Application Data\WINDOWS\LSASS.EXE"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
- Shell = "Explorer.exe %System%\IExplorer.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
- Userinit = "%System%\userinit.exe,%System%\IExplorer.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
- Debugger = "%System%\Shell.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
- Auto = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command
- (Default) = "%System%\shell.exe %1 %*"

In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- DisableCMD = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- DisableConfig = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- DisableSR = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
- LimitSystemRestoreCheckpointing = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
- DisableMSI = "1"

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
- FullPathAddress = "1"

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- ShowSuperHidden = "0"

To delete the registry value this malware/grayware created:

Open Registry Editor.
» For Windows 7 and Windows Server 2008 (R2) users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, Windows 10, and Windows Server 2012 (R2) users, right-click on the lower-left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
xk = "%Windows%\xk.exe"
Again In the right panel, locate and delete the entry:
MSMSGS = "%User Profile%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
Again In the right panel, locate and delete the entry:
ServiceAdministrator = "%User Profile%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
LogonAdministrator = "%User Profile%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
Again In the right panel, locate and delete the entry:
System Monitoring = "%User Profile%\Local Settings\Application Data\WINDOWS\LSASS.EXE"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Windows NT>CurrentVersion>Winlogon
In the right panel, locate and delete the entry:
Shell = "Explorer.exe %System%\IExplorer.exe"
Again In the right panel, locate and delete the entry:
Userinit = "%System%\userinit.exe,%System%\IExplorer.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Wow6432Node>Microsoft>Windows NT>CurrentVersion>AeDebug
In the right panel, locate and delete the entry:
Debugger = "%System%\Shell.exe"
Again In the right panel, locate and delete the entry:
Auto = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>lnkfile>shell>open>command
In the right panel, locate and delete the entry:
(Default) = "%System%\shell.exe %1 %*"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Policies>Microsoft>Windows>System
In the right panel, locate and delete the entry:
DisableCMD = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>Windows NT>SystemRestore
In the right panel, locate and delete the entry:
DisableConfig = "1"
Again In the right panel, locate and delete the entry:
DisableSR = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>Windows>Installer
In the right panel, locate and delete the entry:
LimitSystemRestoreCheckpointing = "1"
Again In the right panel, locate and delete the entry:
DisableMSI = "1"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>CabinetState
In the right panel, locate and delete the entry:
FullPathAddress = "1"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>Advanced
In the right panel, locate and delete the entry:
ShowSuperHidden = "0"
Close Registry Editor.

Step 6

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

In HKEY_CURRENT_USER\Control Panel\Desktop
- From: SCRNSAVE.EXE = "%System%\Mig~mig.SCR"
  To: SCRNSAVE.EXE = ""%Windows%\system32\logon.scr""

In HKEY_CURRENT_USER\Control Panel\Desktop
- From: ScreenSaverIsSecure = "0"
  To: ScreenSaverIsSecure = ""0""

In HKEY_CURRENT_USER\Control Panel\Desktop
- From: ScreenSaveTimeOut = "600"
  To: ScreenSaveTimeOut = ""600""

In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
- From: AlternateShell = "%Windows%\xk.exe"
  To: AlternateShell = ""cmd.exe""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
- From: (Default) = "%System%\shell.exe %1 %*"
  To: (Default) = """%1" %*""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
- From: (Default) = "%System%\shell.exe %1 %*"
  To: (Default) = """%1" %*""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
- From: (Default) = "%System%\shell.exe %1 %*"
  To: (Default) = """%1" %*""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
- From: (Default) = "%System%\shell.exe %1 %*"
  To: (Default) = """%1" %*""

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
- From: (Default) = "File Folder"
  To: (Default) = ""Application""

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: HideFileExt = "1"
  To: HideFileExt = ""1""

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: Hidden = "0"
  To: Hidden = ""2""

To restore registry values this malware/grayware modified:

Open Registry Editor. To do this:
- On Windows 7 and Server 2008 (R2):
  Click the Start button, type REGEDIT in the Search input field then press Enter.
- On Windows 8, 8.1, 10, and Server 2012 (R2):
  Right-click on the lower left corner of the screen and click Run, type REGEDIT in the Run input field, and then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Control Panel>Desktop
In the right panel, locate the registry value:
SCRNSAVE.EXE = "%System%\Mig~mig.SCR"
Right-click on the value name and choose Modify. Change the value data of this entry to:
SCRNSAVE.EXE = "%Windows%\system32\logon.scr"
Again In the right panel, locate the registry value:
ScreenSaverIsSecure = "0"
Right-click on the value name and choose Modify. Change the value data of this entry to:
ScreenSaverIsSecure = "0"
Again In the right panel, locate the registry value:
ScreenSaveTimeOut = "600"
Right-click on the value name and choose Modify. Change the value data of this entry to:
ScreenSaveTimeOut = "600"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SYSTEM>ControlSet001>Control>SafeBoot
In the right panel, locate the registry value:
AlternateShell = "%Windows%\xk.exe"
Right-click on the value name and choose Modify. Change the value data of this entry to:
AlternateShell = "cmd.exe"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>exefile>shell>open>command
In the right panel, locate the registry value:
(Default) = "%System%\shell.exe %1 %*"
Right-click on the value name and choose Modify. Change the value data of this entry to:
(Default) = ""%1" %*"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>piffile>shell>open>command
In the right panel, locate the registry value:
(Default) = "%System%\shell.exe %1 %*"
Right-click on the value name and choose Modify. Change the value data of this entry to:
(Default) = ""%1" %*"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>batfile>shell>open>command
In the right panel, locate the registry value:
(Default) = "%System%\shell.exe %1 %*"
Right-click on the value name and choose Modify. Change the value data of this entry to:
(Default) = ""%1" %*"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>comfile>shell>open>command
In the right panel, locate the registry value:
(Default) = "%System%\shell.exe %1 %*"
Right-click on the value name and choose Modify. Change the value data of this entry to:
(Default) = ""%1" %*"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Classes>exefile
In the right panel, locate the registry value:
(Default) = "File Folder"
Right-click on the value name and choose Modify. Change the value data of this entry to:
(Default) = "Application"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>Windows>CurrentVersion>Explorer>Advanced
In the right panel, locate the registry value:
HideFileExt = "1"
Right-click on the value name and choose Modify. Change the value data of this entry to:
HideFileExt = "1"
Again In the right panel, locate the registry value:
Hidden = "0"
Right-click on the value name and choose Modify. Change the value data of this entry to:
Hidden = "2"
Close Registry Editor.

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Ransom_Blocker.R020C0CJF19. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restore encrypted files from backup.

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Resources

Support

About Trend

Country Headquarters