Ransom.Win32.BLACKCAT.SMYXBLK

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• "%System%\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2L:1"
• "%System%\cmd.exe" /c "fsutil behavior set SymlinkEvaluation R2R:1"
• "%System%\cmd.exe" /c "iisreset.exe /stop"
• "%System%\cmd.exe" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
• "%System%\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet"
• "%System%\cmd.exe" /c "arp -a"
• "%System%\cmd.exe" /c "cmd.exe /c for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
• "%System%\cmd.exe" /c "vssadmin.exe delete shadows /all /quiet"
• "%System%\cmd.exe" /c "bcdedit /set {default}"
• "%System%\cmd.exe" /c "bcdedit /set {default} recoveryenabled No"

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Other System Modifications

This Ransomware adds the following registry entries:

HKCU\Control Panel\Desktop
Wallpaper = %Desktop%\RECOVER-cygzsl2-FILES.txt.png

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
Owner = {Hex Values} → Deletes afterwards

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
Sequence = 1 → Deletes afterwards

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
RegFiles0000 = {FilePath\{FileName} → Deletes afterwards

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
RegFilesHash = {Hex Values} → Deletes afterwards

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000
SessionHash = {Hex Values} → Deletes afterwards

Process Termination

This Ransomware terminates the following services if found on the affected system:

• mepocs
• memtas
• veeam
• svc$
• backup
• sql
• vss
• msexchange
• sql$
• mysql
• mysql$
• sophos
• MSExchange
• MSExchange$
• WSBExchange
• PDVFSService
• BackupExecVSSProvider
• BackupExecAgentAccelerator
• BackupExecAgentBrowser
• BackupExecDiveciMediaService
• BackupExecJobEngine
• BackupExecManagementService
• BackupExecRPCService
• GxBlr
• GxVss
• GxClMgrS
• GxCVD
• GxCIMgr
• GXMMM
• GxVssHWProv
• GxFWD
• SAPService
• SAP
• SAP$
• SAPD$
• SAPHostControl
• SAPHostExec
• QBCFMonitorService
• QBDBMgrN
• QBIDPService
• AcronisAgent
• VeeamNFSSvc
• VeeamDeploymentService
• VeeamTransportSvc
• MVArmor
• MVarmor64
• VSNAPVSS
• AcrSch2Svc

It terminates the following processes if found running in the affected system's memory:

• agntsvc
• dbeng50
• dbsnmp
• encsvc
• excel
• firefox
• infopath
• isqlplussvc
• msaccess
• mspub
• mydesktopqos
• mydesktopservice
• notepad
• ocautoupds
• ocomm
• ocssd
• onenote
• oracle
• outlook
• powerpnt
• sqbcoreservice
• sql
• steam
• synctime
• tbirdconfig
• thebat
• thunderbird
• visio
• winword
• wordpad
• xfssvccon
• *sql*
• bedbh
• vxmon
• benetns
• bengien
• pvlsvr
• beserver
• raw_agent_svc
• vsnapvss
• CagService
• QBIDPService
• QBDBMgrN
• QBCFMonitorService
• SAP
• TeamViewer_Service
• TeamViewer
• tv_w32
• tv_x64
• CVMountd
• cvd
• cvfwd
• CVODS
• saphostexec
• saposcol
• sapstartsrv
• avagent
• avscc
• DellSystemDetect
• EnterpriseClient
• VeeamNFSSvc
• VeeamTransportSvc
• VeeamDeploymentSvc

Other Details

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
RestartManager\Session0000

It does the following:

• Accepts the following arguments:
  
  • --access-token Access Token
  • --bypass ...
  • --child Run as child process
  • --drag-and-drop Invoked with drag and drop
  • --drop-drag-and-drop-target Drop drag and drop target batch file
  • --extra-verbose Log more to console
  • -h, --help Print help information
  • --log-file Enable logging to specified file
  • --no-net Do not discover network shares on Windows
  • --no-prop Do not self propagate(worm) on Windows
  • --no-prop-servers ... Do not propagate to defined servers
  • --no-vm-kill Do not stop VMs on ESXi
  • --no-vm-kill-names ... Do not stop defined VMs on ESXi
  • --no-vm-snapshot-kill Do not wipe VMs snapshots on ESXi
  • --no-wall Do not update desktop wallpaper on Windows
  • -p, --paths ... Only process files inside defined paths
  • --propagated Run as propagated process
  • --ui Show user interface
    
  • -v, --verbose Log to console
• Terminate Esxi VMs
• Clear event logs
• It uses PsExec to propagate

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• desktop.ini
• autorun.inf
• ntldr
• bootsect.bak
• thumbs.db
• boot.ini
• ntuser.dat
• iconcache.db
• bootfont.bin
• ntuser.ini
• ntuser.dat.log

It avoids encrypting files found in the following folders:

• system volume information
• intel
• $windows.~ws
• application data
• $recycle.bin
• mozilla
• $windows.~bt
• public
• msocache
• windows
• default
• all users
• tor browser
• programdata
• boot
• config.msi
• google
• perflogs
• appdata
• windows.old

It appends the following extension to the file name of the encrypted files:

• .cygzsl2

It drops the following file(s) as ransom note:

• {Infected Directory}\RECOVER-cygzsl2-FILES.txt
  
• %Desktop%\RECOVER-cygzsl2-FILES.txt.png -- Set as wallpaper
  

It avoids encrypting files with the following file extensions:

• themepack
• nls
• diagpkg
• msi
• lnk
• exe
• cab
• scr
• bat
• drv
• rtp
• msp
• prf
• msc
• ico
• key
• ocx
• diagcab
• diagcfg
• pdb
• wpx
• hlp
• icns
• rom
• dll
• msstyles
• mod
• ps1
• ics
• hta
• bin
• cmd
• ani
• 386
• lock
• cur
• idx
• sys
• com
• deskthemepack
• shs
• ldf
• theme
• mpa
• nomedia
• spl
• cpl
• adv
• icl
• msu