Ransom.Win64.FUNKSEC.THAOFBE

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It downloads a file from a certain URL then renames it before storing it in the affected system.

However, as of this writing, the said sites are inaccessible.

It encrypts files with specific file extensions. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

• {malware filepath}\downloaded_wallpaper.jpg → desktop wallpaper after encryption

It adds the following processes:

• %System%\net.exe
• %System%\tasklist.exe /fi "IMAGENAME eq vmware"
• powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
• powershell -Command wevtutil sl Security /e:false
• powershell -Command Set-ExecutionPolicy Bypass -Scope Process -Force
• vssadmin delete shadows /all /quiet

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware sets the system's desktop wallpaper to the following image:

Process Termination

This Ransomware terminates the following services if found on the affected system:

• wuauserv
• bits
• Spooler
• DockApp
• MpsSvc
• XblGameSave
• DiagTrack
• SysMain
• lfsvc
• seclogon
• wscsvc
• trkwks
• RemoteRegistry
• netprofm
• Netsh
• twinapi.appcore
• TimeBrokerSvc
• RasMan
• sshd
• LanmanWorkstation
• CryptSvc
• EventLog
• WinDefend

It terminates the following processes if found running in the affected system's memory:

• chrome.exe
• firefox.exe
• explorer.exe
• outlook.exe
• spotify.exe
• vlc.exe
• skype.exe
• teams.exe
• discord.exe
• java.exe
• python.exe
• node.exe
• javaw.exe
• winword.exe
• excel.exe
• powerpnt.exe
• cmd.exe
• powershell.exe
• notepad++.exe
• gimp-2.10.exe
• photoshop.exe
• iTunes.exe
• system32.exe

Download Routine

This Ransomware downloads files from the following URLs then renames them before storage in the affected system:

• https://{BLOCKED}r.com/HCYQoVR.jpeg → desktop wallpaper after encryption

Other Details

This Ransomware does the following:

• It checks for the presence of the following virtual environment-related strings in the system:
  • vboxservice
  • qemu
  • hyperv
  • vmware

However, as of this writing, the said sites are inaccessible.

Ransomware Routine

This Ransomware encrypts files with the following extensions:

• txt
• csv
• docx
• xlsx
• pdf
• json
• xml
• sql
• log
• html
• css
• js
• php
• py
• java
• c
• cpp
• sh
• bat
• ini
• yaml
• md
• rtf
• ts
• jsx
• tsx
• pptx
• odt
• ods
• odp
• msg
• eml
• apk
• ipa
• exe
• dll
• dmg
• iso
• vmdk
• vhd
• tgz
• 7z
• zip
• tar
• rar
• bak
• db
• mdb
• sqlite
• hdf5
• parquet
• avro
• etl
• pfx
• cer
• pem
• csr
• key
• pgp
• kdbx
• gpg
• tar.gz
• xz
• dbf
• tiff
• raw
• ai
• psd
• indd
• eps
• svg
• dwg
• dxf
• fla
• flv
• mov
• mp4
• avi
• mkv
• mp3
• wav
• flac
• aac
• ogg
• wma
• webm
• m3u
• cue
• midi
• ps
• tex
• bib
• chm
• epub
• azw3
• fb2
• djvu
• opf
• xps
• jar
• war
• ear
• pdb
• msi
• deb
• rpm
• vcs
• git
• svn
• nfs
• bin
• bkp
• lst
• dat
• png

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.funksec

It drops the following file(s) as ransom note:

• {malware filepath}\README-{10 random alphanumeric}.md