Ransom.Win32.COBAIN.F

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files with specific file extensions. It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {Encrypted Folders}\__lock_XXX__ → contains process ID of the executed malware process and victim ID
• %ProgramData%\96288ac666485638d133ea9d874c2f265df81e8ad54896d0232511e39af8f764 → contains victim ID

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = {Malware File Path}\{Malware File Name}.exe 96288ac666485638d133ea9d874c2f265df81e8ad54896d0232511e39af8f764

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random characters} = {Malware File Path}\{Malware File Name}.exe 96288ac666485638d133ea9d874c2f265df81e8ad54896d0232511e39af8f764

Other Details

This Ransomware does the following:

• It encrypts files found in the following drive types:
  • Fixed Drive
  • Removable Drive
  • Network Drive
• If a file to be encrypted is found to have an existing process, it will try to terminate this process.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• {Original File Name}.{Original File Extension}.360

It avoids encrypting files with the following strings in their file name:

• bootmgr
• NTUSER.DAT
• page{anything}.sys
• swap{anything}.sys

It avoids encrypting files found in the following folders:

• %ProgramData%
• %Windows%
• AnyDesk
• Common Files
• Embedded Lockdown Manager
• Internet Explorer
• MSBuild
• Microsoft.NET
• Oray
• Reference Assemblies
• Users\{anything}\Microsoft Help
• Users\{anything}\Microsoft
• Users\{anything}\Package Cache
• Windows Defender
• Windows Defender Advanced Threat Protection
• Windows Journal
• Windows Mail
• Windows Media Player
• Windows Multimedia Platform
• Windows NT
• Windows Photo Viewer
• Windows Portable Devices
• Windows Security
• Windows Sidebar
• WindowsPowerShell

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It drops the following file(s) as ransom note:

• {Encrypted Folders}\!_INFO.txt
• %Desktop%\!_INFO.txt
• 
  

It avoids encrypting files with the following file extensions:

• .dll
• .sys
• .4dd
• .4dl
• .accdb
• .accdc
• .accde
• .accdr
• .accdt
• .accft
• .adb
• .ade
• .adf
• .adp
• .alf
• .arm
• .arz
• .ask
• .bak
• .bson
• .btr
• .cat
• .cdb
• .ckp
• .cma
• .cnf
• .cpd
• .crypt12
• .crypt8
• .crypt9
• .dacpac
• .dad
• .dadiagrams
• .daschema
• .db
• .db-shm
• .db-wal
• .db3
• .dbc
• .dbf
• .dbs
• .dbt
• .dbv
• .dbx
• .dcb
• .dct
• .dcx
• .ddl
• .dlis
• .dmp
• .dp1
• .dqy
• .dsk
• .dsn
• .dtsx
• .dxl
• .eco
• .ecx
• .edb
• .epim
• .fcd
• .fdb
• .fic
• .fm5
• .fmp
• .fmp12
• .fmpsl
• .fol
• .fp3
• .fp4
• .fp5
• .fp7
• .fpt
• .frm
• .gdb
• .grdb
• .gwi
• .hdb
• .his
• .ib
• .ibc
• .ibd
• .ibz
• .idb
• .ihx
• .ism
• .itdb
• .itw
• .jet
• .json
• .jtx
• .kdb
• .kexi
• .kexic
• .kexis
• .ldf
• .lgc
• .lwx
• .maf
• .maq
• .mar
• .marshal
• .mas
• .mav
• .mbk
• .mdb
• .mdf
• .mpd
• .mrg
• .mud
• .mwb
• .myd
• .myi
• .mysql
• .ndf
• .nnt
• .nrmlib
• .ns2
• .ns3
• .ns4
• .nsf
• .nv
• .nv2
• .nwdb
• .nyf
• .odb
• .opt
• .oqy
• .ora
• .orx
• .owc
• .p96
• .p97
• .pan
• .pdb
• .pdm
• .phl
• .pnz
• .qbquery
• .qry
• .qvd
• .rbf
• .rctd
• .rod
• .rodx
• .rpd
• .rsd
• .rul
• .sal
• .sas7bdat
• .sbf
• .scx
• .sdb
• .sdc
• .sdf
• .sis
• .sld
• .smd
• .spq
• .sql
• .sqlite
• .sqlite3
• .sqlitedb
• .sqr
• .te
• .teacher
• .tmd
• .tps
• .trc
• .trm
• .udb
• .udl
• .usr
• .v12
• .vis
• .vpd
• .vvv
• .wdb
• .wmdb
• .wrk
• .xdb
• .xld
• .xmlff