Ransom.Win32.PHOBOS.YXCCW

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system:

• %AppDataLocal%\{Malware name}
• %Common Startup%\{Malware name}
• %User Startup%\{Malware name}

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Common Startup% is the startup folder for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

It drops the following files:

• if config exists:
  %AppDataLocal%\config
  %User Startup%\config
  %Common Startup%\config

(Note: %Common Startup% is the startup folder for all users, which is usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup on Windows 2000, XP, and Server 2003, or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, and 8.)

It adds the following processes:

• "%System%\cmd.exe
• netsh advfirewall set currentprofile state off
• vssadmin delete shadows /all /quiet
• netsh firewall set opmode mode=disable
• wmic shadowcopy delete
• bcdedit /set {default} bootstatuspolicy ignoreallfailures
• bcdedit /set {default} recoveryenabled no
• wbadmin delete catalog -quiet
• "%System%\mshta.exe" "%Desktop%\info.hta"
• "%System%\mshta.exe" "%Public%\desktop\info.hta"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Public% is the folder that serves as a repository of files or folders common to all users, which is usually C:\Users\Public in Windows Vista, 7, and 8.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\<<BID>>{Volume Serial Number}{random number}

Autostart Technique

This Ransomware creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Malware name} = %AppDataLocal%\{Malware name} = %AppDataLocal%\{Malware name}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{Malware name} = %AppDataLocal%\{Malware name}

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• agntsvc.exe
• mydesktopqos.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• encsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• excel.exe
• infopath.exe
• msaccess.exe
• mspub.exe
• onenote.exe
• outlook.exe
• powerpnt.exe
• steam.exe
• thebat.exe
• thebat64.exe
• thunderbird.exe
• visio.exe
• winword.exe
• wordpad.exe

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• info.hta
• info.txt
• boot.ini
• bootfont.bin
• ntldr
• ntdetect.com
• io.sys
• config
• {Malware name}

It avoids encrypting files with the following strings in their file path:

• %Windows%
• %ProgramData%\microsoft\windows\caches

(Note: %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It appends the following extension to the file name of the encrypted files:

• .id[{Volume Serial Number}-{Generated ID}].[{BLOCKED}on@cock.li].Devos

It drops the following file(s) as ransom note:

• %Public%\desktop\info.hta
• %Desktop%\info.hta
  
• %Public%\desktop\info.txt
• %Desktop%\info.txt
  

It avoids encrypting files with the following file extensions:

• Devos
• actin
• DIKE
• Acton
• actor
• Acuff
• FILE
• Acuna
• acute
• adage
• Adair
• Adame
• banhu
• banjo
• Banks
• Banta
• Barak
• Caleb
• Cales
• Caley
• calix
• Calle
• Calum
• Calvo
• deuce
• Dever
• devil
• Devoe
• Devon
• Devos
• dewar
• eight
• eject
• eking
• Elbie
• elbow
• elder
• phobos
• help
• blend
• bqux
• com
• mamba
• KARLOS
• DDoS
• phoenix
• PLUT
• karma
• bbc
• CAPITAL
• WALLET
• LKS
• tech
• s1g2n3a4l
• MURK
• makop
• ebaka
• jook
• LOGAN
• FIASKO
• GUCCI
• decrypt
• OOH
• Non
• grt
• LIZARD