RANSOM_DISKDOC.THFOEAH

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It encrypts files found in specific folders. It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following copies of itself into the affected system and executes them:

• %Application Data%\Local Security Authority Process.exe

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It drops the following files:

• %User Profile%\HOW TO RECOVER ENCRYPTED FILES.TXT
• {Encrypted directory}\HOW TO RECOVER ENCRYPTED FILES.TXT

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following processes:

• mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('{malware filename}');close()}catch(e){}},10) -> delete malware copy
• mshta.exe "javascript:o=new ActiveXObject('WScript.Shell');x=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{i=x.GetFile('Local Security Authority Process.exe').Path;o.RegWrite('HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\JMAHRDUU',i);}catch(e){}},10) -> create auto-run registry
• cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0 -> deletes all the system state backups
• cmd.exe /c wmic SHADOWCOPY DELETE -> deletes shadow copies
• cmd.exe /c vssadmin Delete Shadows /All /Quiet -> deletes shadow copies
• cmd.exe /c bcdedit /set {default} recoveryenabled No -> disable Windows Recovery option
• cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures -> disable system's trigger to call the Error Recovery screen on startup
• %System%\cmd.exe /c start /max notepad.exe "%UserProfile%\HOW TO RECOVER ENCRYPTED FILES.TXT" -> display ransom note
• mshta.exe "javascript:o=new ActiveXObject('Scripting.FileSystemObject');setInterval(function(){try{o.DeleteFile('%Application Data%\Local Security Authority Process.exe');close()}catch(e){}},10) -> delete malware copy

(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• JMAHRDUU

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
JMAHRDUU = notepad.exe "%User Profile%\HOW TO RECOVER ENCRYPTED FILES.TXT"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\RunOnce
JMAHRDUU = %Application Data%\Local Security Authority Process.exe

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_CURRENT_USER\Software\JMAHRDUU
idle = 1

HKEY_CURRENT_USER\Software\{5-random characters #1}
{5-random characters #2} = "o=new ActiveXObject("WScript.Shell");o.Run("cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0",0);o.Run("cmd.exe /c wmic SHADOWCOPY DELETE",0);o.Run("cmd.exe /c vssadmin Delete Shadows /All /Quiet",0);o.Run("cmd.exe /c bcdedit /set {default} recoveryenabled No",0);o.Run("cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures",0)"

HKEY_CURRENT_USER\Software\JMAHRDUU
temp = {Encrypted malicious code}

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• isqlplussvc.exe
• ncsvc.exe
• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlserver.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• mydesktopqos.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exeagntsvc.exe
• agntsvc.exeencsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe
• agntsvc.exe
• isqlplussvc.exe
• ncsvc.exe
• msftesql.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlserver.exe
• sqlwriter.exe
• oracle.exe
• ocssd.exe
• dbsnmp.exe
• synctime.exe
• mydesktopqos.exe
• agntsvc.exe
• isqlplussvc.exe
• xfssvccon.exe
• mydesktopservice.exe
• ocautoupds.exe
• agntsvc.exe
• encsvc.exe
• firefoxconfig.exe
• tbirdconfig.exe
• ocomm.exe
• mysqld.exe
• mysqld-nt.exe
• mysqld-opt.exe
• dbeng50.exe
• sqbcoreservice.exe

Ransomware Routine

This Ransomware encrypts files found in the following folders:

• {Fixed drives}
• {Remote drives}
• {Shared Folders}
• Microsoft\Exchange Server
• Microsoft SQL Server
• Firebird
• MSSQL.1
• Microsoft SQL Server CompactEdition
• Adobe
• Oracle

It avoids encrypting files with the following strings in their file path:

• :\$RECYCLE.BIN\
• \All Users\
• \AppData\
• \Application Data\
• :\Program Files (x86)\
• :\Program Files\
• :\System VolumeInformation\
• :\Windows\
• :\intel\
• :\nvidia\

It appends the following extension to the file name of the encrypted files:

• .DiskDoctor

It drops the following file(s) as ransom note:

• {Encrypted directory}\HOW TO RECOVER ENCRYPTED FILES.TXT