RANSOM_SHIMA.A

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %Windows%\systemboot54146454.exe

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It drops the following copies of itself into the affected system and executes them:

• %User Startup%\systemboot54146454.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Documents and Settings\{user}\Start Menu\Programs\Startup on Windows 2000 and XP, and C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

It drops the following files:

• %User Temp%\shima.themepack

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops and executes the following files:

• %User Temp%\1.vbs

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Autostart Technique

This Ransomware drops the following file(s) in the Windows Startup folder to enable its automatic execution at every system startup:

• systemboot54146454.exe

Other Details

This Ransomware does the following:

• The ransomware displays the following user interface:
  
• The sample is still in development and contains the following which can be edited:
  • Ransom note can be edited inside the message box shown in the image above.
  • Modify component file inside the content of vbs file box shown in the image above.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• .asa
• .asp
• .aspx
• .cs
• .css
• .htm
• .html
• .js
• .json
• .jsp
• .jst
• .php
• .php3
• .php4
• .php5
• .php6
• .php7
• .rss
• .txt
• .vbs
• .xml

It avoids encrypting files with the following strings in their file path:

• $RECYCLE.BIN
• System Volume Information

It appends the following extension to the file name of the encrypted files:

• .sh99

It drops the following file(s) as ransom note:

• {Encrypted Directory}\Encryption Message.txt

It leaves text files that serve as ransom notes containing the following text:

• Hi babyAre you ok??Are you good??No , why??For Encryption virus?orYour Theme?or ....I Do not know any thing butI know if you want open your file and Decrypt your fileyou can call me with an E-mail that is:shimabahrami99@gmail.comand I can help you just with money.If you have money send me an empty mail that its title will be "Encrypt Help".and I give you my card number and the amount of money .So after that you pay money and send me your Receipt and i check itIf it is true and real ,I give you a program that open your file ,and If it is not real ,I never give you that program.*****The first important point :If you call with a police ,I never give you program and I delete all your fileok??*****The second important point:If you do not trust me ,you can send me a filethat encrypt with my program,and mail title will be "Encrypt trust" I give you the Decrypt photo and correct fileButjust for once.asd shima99 :)