RANSOM_CRYPROTO.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %AppDataLocal%\{Random Folder}\{Random Characters}.exe

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\{GUID}
• Local\{GUID}

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Random Characters} = %AppDataLocal%\{Full Path of the Malware}\{Random Characters}.exe

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %Start Menu%\Programs\Startup\{Random Characters}.lnk

(Note: %Start Menu% is the Start Menu folder, where it usually is C:\Documents and Settings\{user name}\Start Menu on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other System Modifications

This Ransomware modifies the following registry entries:

HKEY_CURRENT_USER\Software\{Random}

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• sql
• backup
• restore
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• mydesktopqos.exe
• agntsvc.exeisqlpussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exeagntsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• ocomm.exe
• dbeng50.exe
• sqbcoreservice.exe
• SDRSVC
• SQLAgent
• MSSQLBI
• SQLWriter
• MSSQL
• SQLSERVERAGENT
• MSSQLBI
• MSSQLSERVER
• MSQOLAP
• MSQLBI
• SQLBrowser
• MsDtsServer100
• ReportServer
• MSSQLBI

Other Details

This Ransomware does the following:

• It deletes shadow copies using the following commands:
  
  • /C vssadmin Delete Shadows /All /Quiet
  • /C wmic shadowcopy delete
  • /C Bcdedit.exe /set {default} recoveryenabled no
  • /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• .docx
• .pptx
• .pptx
• .xlsx
• .xbap
• .xps
• .pdf
• .pot
• .hta
• .xlt
• .pps
• .xlw.
• .dot
• .rtf
• .ppt
• .xls
• .doc
• .xml
• .htm
• .html
• .hta
• .exe
• .search-ms
• .mht
• .zip
• .dvr-ms
• .wvx
• .wmx
• .wmv
• .wm
• .mpv2
• .mpg
• .mpeg
• .mpe
• .mpa
• .mp2v
• .mp2
• .m1v
• .IVF
• .asx
• .asf
• .wax
• .snd
• .rmi
• .m3u
• .au
• .aiff
• .aifc
• .aif
• .midi
• .mid
• .wma
• .wav
• .mp3
• .wmf
• .tiff
• .tif
• .rle
• .png
• .jpeg
• .jpe
• .jpg
• .jfif
• .ico
• .gif
• .emf
• .dib
• .bmp

It avoids encrypting files with the following strings in their file name:

• ntuser
• normal.dot
• containter.dat
• UsrClass
• WebCacheLock
• WindowsUpdate
• AUTOEXEC
• boot
• ntldr
• .386
• .73u
• .8xu
• .adm
• .adml
• .admx
• .adv
• .ani
• .ann
• .aos
• .asec
• .bat
• .bcd
• .bio
• .bk2
• .blf
• .bmk
• .bud
• .cdmp
• .chs
• .ci
• .clb
• .cnt
• .cpi
• .cpl
• .cpq
• .com
• .cur
• .deslink
• .deskthemepack
• .dev
• .diagcab
• .diagcfg
• .diagpkg
• .dimax
• .dit
• .dlx
• .dll
• .dls
• .dmp
• .drv
• .dss
• .dvd
• .dyc
• .ebd
• .efi
• .exe
• .ffa
• .ffl
• .ffo
• .ffx
• .ftg
• .fts
• .gmmp
• .grl
• .group
• .grp
• .h1s
• .hdmp
• .hhc
• .hhk
• .hiv
• .hlp
• .hpj
• .hsh
• .htt
• .icl
• .icns
• .ico
• .idi
• .idx
• .ime
• .img3
• .inf
• .inf_loc
• .ini
• .ins
• .ion
• .itemdata-ms
• .its
• .jpn
• .kbd
• .kor
• .library-ms
• .lng
• .lnk
• .lib
• .manifest
• .mapimail
• .mdmp
• .mlc
• .mnu
• .msc
• .msp
• .msstyle
• .msstyles
• .mui
• .mui_cccd5ae0
• .mum
• .mydocs
• .nfo
• .nls
• .nt
• .ntfs
• .ocx
• .p7b
• .pck
• .pdr
• .pid
• .pol
• .ppd
• .prf
• .printerexport
• .prt
• .ps2
• .pwl
• .regtrans-ms
• .rs
• .rnd
• .savedsearch
• .scf
• .scr
• .sdb
• .shd
• .shsh
• .str
• .swp
• .sys
• .tha
• .theme
• .trx_dll
• .uce
• .vga
• .vgd
• .vx_
• .vxd
• .wdf
• .wdgt
• .webpnp
• .wer
• .wph
• .wpx
• .xrm-ms

It avoids encrypting files found in the following folders:

• %System%
• %Windows%
• %internetcache%
• %Temporary Internet Files%

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %Temporary Internet Files% is the Temporary Internet Files folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temporary Internet Files on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Microsoft\Windows\Temporary Internet Files on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), and Windows Server 2008; C:\Users\{user name}\AppData\Local\Microsoft\Windows\INetCache on Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), and Windows Server 2012.)

It appends the following extension to the file name of the encrypted files:

• !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66